Summary
Critical vulnerabilities have been reported to McAfee in its Windows Agent that can lead to Remote Code Execution and Privilege Escalation. The flaws exist due to improper privilege management and improper Control of Code Generation. McAfee Windows Agent is a security agent for Windows systems to provide security.
Vulnerabilities discovered:
CVE-2021-31854
A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.
CVE-2022-0166
A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5 affecting all supported operating systems. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.
On successful exploitation of the vulnerabilities, the attacker can perform Remote Code Execution in the context of the McAfee Windows Agent. Depending on the privileges associated with the Agent, attacker could view, modify or delete data. If the application is configured with fewer privileges, then the exploitation of the most severe vulnerabilities will have less impact than if it was configured with administrative privileges. Also, attacker can disable the security feature of the compromised system and escalate the attack surface.
Recommendation:
Update McAfee Windows Agent to the latest version of 5.7.5 after testing.
References:
https://kc.mcafee.com/corporate/index?page=content&id=SB10378
