McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges

McAfee has patched two large-severity vulnerabilities in a ingredient of its McAfee Enterprise product that attackers can use to escalate privileges, which include up to Technique.

In accordance to McAfee’s bulletin, the bugs are in versions prior to 5.7.5 of McAfee Agent, which is employed in McAfee Endpoint Security, amid other McAfee goods.

The Agent is the piece of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces insurance policies and executes client-facet duties these as deployment and updating.

The McAfee Agent is also the ingredient that uploads occasions and presents additional info regarding each individual system’s status. Periodically gathering and sending event information and facts to the McAfee ePO server, the Agent – which also installs and updates endpoint merchandise – is a demanded install on any network system that requirements to be managed.

OpenSSL Component Bug Can Guide to Process Privileges

A person of the flaws in the Agent – tracked as CVE-2022-0166 and provided a CVSS base criticality score of 7.8 – was identified by Will Dormann of the Carnegie Mellon University’s CERT Coordination Heart (CERT/CC).

On Thursday, CERT/CC revealed an advisory that mentioned that the vulnerability is observed in an OpenSSL element in Agent that specifies an OPENSSLDIR variable as a subdirectory that “[may] be controllable by an unprivileged person on Windows.”

According to the advisory, McAfee Agent “contains a privileged service that works by using this OpenSSL ingredient. A person who can area a specifically-crafted openssl.cnf file at an appropriate path could be equipped to accomplish arbitrary code execution with Program privileges.”

Dormann observed that an unprivileged consumer could exploit the bug to area a specifically crafted openssl.cnf in a site utilized by McAfee Agent and hence perhaps be able to execute arbitrary code with Procedure privileges on a Windows program that has the susceptible McAfee Agent program mounted.

When Dormann referred to an openssl.cnf, he was speaking about an OpenSSL configuration file: a file that offers SSL defaults for goods such as certification data files locations, and website aspects these types of as those entered in the course of set up.

Arbitrary Shell Code

The next bug in the Agent – tracked as CVE-2021-31854 and offered a CVSS criticality score of 7.7 – can be exploited by a community person to inject arbitrary shell code into a file, McAfee claimed in its advisory. “An attacker can exploit the security hole to obtain a reverse shell that will allow them to get root privileges,” in accordance to the company.

The vulnerability, which is even now pending investigation by its discoverer – Russell Wells from Cyberlinx Security – is a command-injection vulnerability in McAfee Agent for Windows prior to 5.7.5. McAfee mentioned that it makes it possible for nearby end users to inject arbitrary shell code into the file cleanup.exe.

“The destructive clean.exe file is placed into the pertinent folder and executed by managing the McAfee Agent deployment attribute situated in the Technique Tree,” according to McAfee. “An attacker may perhaps exploit the vulnerability to acquire a reverse shell which can direct to privilege escalation to obtain root privileges.”

Wells informed Security 7 days that exploiting this bug calls for obtain to the McAfee ePO host, as in, the underlying Windows host, not the software by itself.

Elevated Entry Allows Menace Actors Operate Amok

Exploiting privilege-escalation bugs allows menace actors paw at resources that really should generally be locked securely absent. Attackers can use all those elevated privileges to steal private details, run administrative instructions, read information from the file process and deploy malware, as very well as to perhaps evade detection during attacks.

This isn’t the initially time that privilege-escalation bugs have turned up in McAfee’s Agent. A couple months ago, in September, the security agency patched one particular these types of bug (CVE-2020-7315) that was identified by Tenable security researcher Clément Notin.

That before bug associated DLL injection in McAfee Agent that could have allowed a community administrator to eliminate or tamper with the antivirus, with out figuring out the McAfee password.

Photograph courtesy of M.O. Stevens. Licensing particulars.