McAfee has recently patched two high-severity security bugs in its ePO agent component, one of which can allow attackers to achieve arbitrary code execution with SYSTEM privileges.
The Agent is the piece of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces policies and executes client-side tasks such as deployment and updating.
A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.
By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.
A privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file.
Exploiting privilege-escalation bugs lets bad actors paw at information assets that should normally be locked safely away. Hackers can use these elevated privileges to steal confidential data, run administrative commands, read files from the file system and deploy malware, as well as to potentially evade detection during attacks.
To remediate this issue, customers should update the McAfee Agent to the MA 5.7.5 release.