CVE-2022-0166
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in McAfee Agent where a low-privileged user can create malicious directories and files to execute arbitrary code with SYSTEM privileges. It affects McAfee Agent installations prior to version 5.7.5 on Windows systems. The vulnerability leverages improper path handling during the OpenSSL configuration process.
💻 Affected Systems
- McAfee Agent
📦 What is this software?
Agent by Mcafee
⚠️ Risk & Real-World Impact
Worst Case
A low-privileged attacker gains full SYSTEM-level control over the affected system, enabling complete compromise, data theft, lateral movement, and persistence.
Likely Case
An authenticated low-privileged user escalates to SYSTEM privileges to install malware, steal credentials, or disable security controls.
If Mitigated
With proper user privilege management and monitoring, exploitation would be limited to authorized low-privileged users attempting privilege escalation.
🎯 Exploit Status
Exploitation requires local access and low privileges. The vulnerability is well-documented with public technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.5 and later
Vendor Advisory: https://kc.mcafee.com/corporate/index?page=content&id=SB10378
Restart Required: Yes
Instructions:
1. Download McAfee Agent 5.7.5 or later from the McAfee download site. 2. Deploy the update through ePolicy Orchestrator or manually install. 3. Restart affected systems after installation.
🔧 Temporary Workarounds
Restrict directory creation permissions
windowsPrevent low-privileged users from creating directories in the McAfee Agent installation path.
icacls "C:\Program Files\McAfee\Agent\" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit which users can log into affected systems.
- Monitor for suspicious directory creation activities in McAfee Agent installation paths and for processes running with SYSTEM privileges from unusual user contexts.
🔍 How to Verify
Check if Vulnerable:
Check McAfee Agent version via ePolicy Orchestrator or by examining the installed version in Programs and Features.Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*McAfee Agent*'} | Select-Object Name, VersionVerify Fix Applied:
Verify McAfee Agent version is 5.7.5 or higher and check that the openssl.cnf file path is properly secured.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing directory creation in McAfee Agent paths by low-privileged users
- Process creation events where low-privileged users spawn processes with SYSTEM privileges
Network Indicators:
- Unusual outbound connections from systems shortly after privilege escalation attempts
SIEM Query:
source="windows_security" EventID=4688 NewProcessName="*" SubjectUserName="lowprivilegeduser" TokenElevationType="%%1936"