McAfee releases security bulletin, fixes bugs that could lead to privileges at the system level

In short: McAfee Agent, a company’s ePolicy Orchestrator (ePO) component, is deployed to client computers to provide data, status, and policy enforcement. Earlier this week, the company released a security bulletin highlighting two CVEs affecting previous versions of the ePO agent deployed to support the ePO effort. The company has released an updated version of the agent that effectively fixes the vulnerabilities, both of which received high severity ratings.

Bulletin identified CVE-2021-31854 and CVE-2022-0166 are two high-severity attack vectors that can leave any asset with deployed McAfee ePO Agents vulnerable to attack. McAfee recommends that any implementations with deployed agents earlier than 5.7.5 must upgrade the agent or risk further exposure.

The Security Brief contains a detailed explanation of each CVE and cross-references to exploits against the CVE MITER and National Institute of Standards and Technology (NIST) reports.

• CVE-2021-31854 – A command injection vulnerability in McAfee Agent (MA) for Windows prior to version 5.7.5 allows local users to inject arbitrary shell code into the cleanup.exe file. The malicious clean.exe file is placed in the appropriate folder and launched using the McAfee Agent deployment feature located in the System Tree. An attacker could use the vulnerability to gain a reverse shell, which could lead to privilege escalation to gain root privileges.
• CVE-2022-0166 – Privilege escalation vulnerability in McAfee Agent prior to version 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory under the installation directory. A low-privileged user could create subdirectories and execute arbitrary code with system privileges by creating the corresponding path to a specially crafted malicious openssl.cnf file.

McAfee made an agent version 5.7.5 available to users and administrators tasked with fixing vulnerabilities. This bulletin provides specific steps for users of McAfee endpoint and ePO/server products to determine if their ePO and agent implementation is vulnerable. Once deployed, any client computer with the agent installed will no longer be affected by detected exploits.

McAfee ePO is an administrative tool used to centralize management of any endpoints (PCs, printers, other peripherals) on a user’s network. It provides administrators with the ability to centrally monitor and control various system data, events, and policies across all relevant endpoints in their environment.

Image credit: Pixel creatures