McAfee has released a security update for its McAfee Agent for Windows that fixes 2 High risk vulnerabilities.
An attacker could exploit these vulnerabilities to take control of an unpatched system.
The McAfee Agent vulnerabilities consist of a command injection flaw (CVE-2021-31854) and privileged escalation issue (CVE-2022-0166).
The McAfee Agent command injection vulnerability CVE-2021-31854 allows local users to inject arbitrary shell code into the file cleanup.exe.
“The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges,” Microsoft stated in the advisory.
The CVSS base score of CVE-2021-31854 is rated 7.7 and High severity.
In addition, a privilege escalation vulnerability (CVE-2022-0166) in the McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory.
“A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file,” McAfee noted.
The CVSS base score of CVE-2021-0166 is rated 7.8 and High severity.
Each of the issues affects McAfee Agent for Windows prior to 5.7.5. To remediate each of these issues, users should upgrades to the McAfee Agent 5.7.5 release.