November 30, 2023

Two vulnerabilities have been found in the McAfee endpoint Agent version prior to 5.7.5. CVE-2021-31854 and CVE-2022-0166 comes haunting the endpoint devices could indulge in privilege escalation and executing Arbitrary code with higher privileges.

First vulnerability is CVE-2021-31854 with CVSS score of 7.7 and high rating. A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.


Second vulnerability is CVE-2022-0166 with CVSS score of 7.8 and high rating A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.

Once after the successful exploitation, threat actors could persistently execute malicious payloads and potentially evade detection during attacks. Only good news is this can be exploited locally. Later in the future stages threat actors commonly after infiltrating the target machine to elevate permissions for gaining persistence and further compromising the system.

McAfee worked on these vulnerabilities and remediated it with releasing the hotfixes.

Leave a Reply

%d bloggers like this: