CVE-2022-0166 McAfee Agent uses openssl.cnf to specify the OPENSSLDIR as a subdirectory of the installation directory.

McAfee 6.5.5 and earlier versions are affected. McAfee Agent is a software that runs with low privileged user account (Agent user) and runs with SYSTEM account when the system is in non-managed mode. McAfee Agent provides the functionality of Remote Control allowing a remote sysadmin to execute command on the managed system. McAfee Agent also provides the capability of installing software packages, which in this case, has the potential of being exploited to install a malicious openssl.cnf file.
To exploit this vulnerability, an attacker needs to log into a system as a low privileged user. Attackers can create a low privileged user account and log into the system as a low privileged user. An attacker can then create a malicious openssl.cnf file, place it in the location specified in the openssl.cnf, and then log out of the low privileged user account. An attacker can then reboot the system to trigger the restart of McAfee Agent. When the system restarts and runs McAfee Agent with the same low privileged user account, the attacker’s malicious openssl.cnf will be loaded from the system’s location specified in the openssl.cnf file.

McAfee Product Identification and Affected Versions

Affected products:
McAfee Agent version 6.5.5 and later versions of McAfee Agent
McAfee Endpoint Protection for Email Security version 9.8 and later versions of McAfee Endpoint Protection for Email Security
McAfee Network Agent 6.5 and later versions of McAfee Network Agent

Vulnerability Details

The vulnerability has been assigned the CVE-2022-0166 identifier.

Vulnerability Details

The vulnerability is caused by the default installation of McAfee Agent on the system.
The vulnerability will be exploited only when the low privileged user account has certain privileges. A low privileged user must have access to create a file in a specific location.

Timeline

Published on: 01/19/2022 11:15:00 UTC
Last modified on: 01/25/2022 20:12:00 UTC

References