McAfee bug can be used to gain Windows SYSTEM privileges

McAfee bug can be used to gain Windows SYSTEM privileges

Short News:-

McAfee has patched two high-severity bugs in its McAfee Agent component. One bug can allow attackers to achieve arbitrary code execution with SYSTEM privileges. 

McAfee ePolicy Orchestrator (McAfee ePO) is the piece that enforces policies and executes client-side tasks. One bug can be exploited by a local user to inject arbitrary shellcode into a file. The other is a command injection vulnerability that allows attackers to gain access to the underlying Windows host.

Detailed News:-

An attacker could gain SYSTEM privileges by exploiting a high-severity bug in McAfee's Agent component, which has been patched.

In a component of McAfee Enterprise, McAfee has patched two high-severity vulnerabilities that can be exploited by attackers, including up to system level.

This bug affects versions of McAfee Agent prior to 5.7.5, which is used in McAfee Endpoint Security and other products from the McAfee family.

Client-side tasks such as deployment and updating are performed by the Agent, a component of McAfee ePolicy Orchestrator (McAfee ePO).

As well as uploading events, the McAfee Agent provides additional data on the health of each system. The McAfee ePO server requires the installation of the Agent, which periodically collects and sends event information to the McAfee ePO server and also installs and updates endpoint products.

System privileges can be gained by exploiting a bug in the OpenSSL Component.

Will Dormann of Carnegie Mellon University's CERT Coordination Center (CERT/CC) discovered one of the flaws in the Agent (CVE-2022-0166 and a CVSS base criticality rating of 7.8).

OpenSSL component in Agent specifies an OPENSSLDIR variable as a subdirectory that "[may] be controllable by an unprivileged user on Windows," according to a CERT/CC advisory released on Thursday.

Using this OpenSSL component, the McAfee Agent is said to contain a privileged service. To gain SYSTEM privileges, an attacker must be able to place a specially crafted openssl.cnf file in a specific location."

To gain SYSTEM privileges on a Windows system with vulnerable McAfee Agent software installed, Dormann discovered that an unprivileged user could exploit the bug to place a specially crafted openssl.cnf file.

An openssl.cnf configuration file is a file that provides SSL defaults for things like the location of certificate files and the site details entered during the installation of OpenSSL.

Shell Code That Is Unknown

Second, McAfee has issued an advisory about the CVE-2021-31854 bug, which can be used by a local user to inject arbitrary shellcode into a file. An attacker can obtain a reverse shell and thus root privileges by exploiting the security hole, according to the company.

Command-injection vulnerability in McAfee Agent for Windows prior to 5.7.5 is still awaiting analysis by the vulnerability's discoverer, Cyberlinx Security's Russell Wells. In a blog post, McAfee stated that the file cleanup.exe allows local users to inject arbitrary shellcode.

It is reported that the malicious clean.exe file has been placed in the relevant folder and is executed by running the McAfee Agent deployment feature located in the System Tree. In order to gain root privileges, an attacker could use the vulnerability to obtain a reverse shell.

According to Wells, the vulnerability can only be exploited if an attacker has access to the underlying Windows host, not the McAfee EPO application itself.

It Allows the Threat Actors to Run Amok with Elevated Access

When threat actors take advantage of privilege-escalation bugs, they can access resources that should be kept secure. Those elevated privileges can be used by attackers to steal confidential data, run administrative commands, read files from the file system, and deploy malware, as well as to potentially evade detection in an attack.

This isn't the first time that McAfee's Agent has been plagued by privilege-escalation bugs. Tenable security researcher Clément Notin discovered one of these bugs (CVE-2020-7315) and reported it to the security firm in September of last year.

Previously, a McAfee Agent DLL injection bug allowed a local administrator to kill or tamper with the antivirus, even without knowing the McAfee password.