McAfee Agent bug exploited to gain Windows SYSTEM privileges


McAfee addressed a high-severity security flaw in its McAfee Agent software for Windows that lets the hackers run arbitrary code with SYSTEM privileges.

The vulnerability, tracked as CVE-2022-0166 resides in McAfee Agent software for Windows and a threat actor could exploit this flaw to escalate privileges and execute arbitrary code with SYSTEM privileges.

The McAfee Agent is the distributed component of McAfee ePolicy Orchestrator (McAfee ePO). It downloads and enforces policies, and executes client-side tasks such as deployment and updating. The Agent also uploads events and provides additional data regarding each system’s status. It has to be installed on each system in the network that needs to be managed.

The CVE-2022-0166 flaw was discovered by CERT/CC vulnerability analyst Will Dormann.

The issue affects Agent versions prior of 5.7.5 and allows unprivileged attackers to run code using NT AUTHORITY\SYSTEM account privileges.

An unprivileged user can place a specially-crafted openssl.cnf in a location used by McAfee Agent, to execute arbitrary code with SYSTEM privileges on a Windows system running a vulnerable version of the agent software.

The security firm addressed the vulnerability by releasing McAfee Agent 5.7.5 on January 18.

The vulnerability is only exploitable locally, but experts warn that this issue could be chained with other issues to compromise the target system and elevate permissions to carry out additional malicious activities.

A command Injection vulnerability, tracked as CVE-2021-31854, in software Agent for Windows prior to 5.7.5 was also addressed. An attacker could exploit this vulnerability to inject arbitrary shell code into the file cleanup.exe.


Please enter your comment!
Please enter your name here