Posts: 84 +8
In brief: McAfee Agent, a component of the company's ePolicy Orchestrator (ePO), is deployed to client machines to report data, status, and enforce policies. Earlier this week, the company released a security bulletin highlighting two CVEs affecting previous versions of the ePO Agent deployed to support ePO efforts. The company released an updated version of the Agent that effectively remediates the vulnerabilities, both of which received high severity ratings.
The bulletin identified CVE-2021-31854 and CVE-2022-0166, two high severity attack vectors that can leave any asset with McAfee ePO Agents deployed vulnerable to attack. Per the McAfee's guidance, any implementations with Agents earlier than version 5.7.5 deployed should update the Agent or risk further exposure.
The security brief provides a detailed explanation of each CVE and cross-references the exploits against MITRE and National Institute of Standards and Technology (NIST) CVE reports.
- CVE-2021-31854—A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.
- CVE-2022-0166—A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.
McAfee has made Agent version 5.7.5 available to users and administrators tasked with remediating the vulnerabilities. The bulletin provides users of McAfee endpoint and ePO/server products with specific steps to determine whether or not their ePO and Agent implementation is vulnerable. Once deployed, any client machine with the Agent installed will no longer be susceptible to the identified exploits.
McAfee ePO is an administrative tool used to centralize the management of any endpoints (PCs, printers, other peripherals) on a user's network. It provides administrators with the ability to centrally track and monitor various system data, events, and policies across all eligible endpoints within their environment.
Image credit: Pixelcreatures