McAfee (now known as Trellix) has fixed two high-severity bugs present in McAfee Agent software for Windows allowing malicious actors to escalate privileges and implement arbitrary code with SYSTEM privileges.
Earlier this week, the firm released a security advisory highlighting two CVEs tracked as CVE-2022-0166 and CVE-2021-31854 impacting previous versions of the McAfee ePolicy Orchestrator (ePO). The company released an updated version of the Agent that effectively remediates the vulnerabilities, both of which received high severity ratings.
McAfee Agent is a client-side feature of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces endpoint policies and deploys antivirus signatures, upgrades, patches, and new products on enterprise endpoints.
The bug tracked as CVE-2021-31854 is a command Injection flaw in McAfee Agent (MA) for Windows prior to 5.7.5 allows threat actors to inject arbitrary shellcode into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.
The second bug tracked as CVE-2022-0166 is a privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.
“By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed,” reads the advisory published by CERT/CC researchers.
This is not the first instance wherein security researchers have uncovered flaws while examining McAfee's Windows security products. Last year in September, the company addressed another McAfee Agent privilege escalation bug (CVE-2020-7315) identified by Tenable security researcher Clément Notin that allowed local users to execute arbitrary code and kill the antivirus.
Earlier in 2020, McAfee patched a security vulnerability impacting all editions of its Antivirus software for Windows (i.e., Total Protection, Anti-Virus Plus, and Internet Security) and allowing malicious attackers to escalate privileges and execute code with SYSTEM account authority.