CVE-2022-1823
📋 TL;DR
A local privilege escalation vulnerability in McAfee Consumer Product Removal Tool allows authenticated local users to modify configuration files and execute arbitrary code with elevated permissions. This affects users running versions prior to 10.4.128. Attackers can leverage this to perform living-off-the-land (LOLBin) attacks from a compromised user account.
💻 Affected Systems
- McAfee Consumer Product Removal Tool
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/root privileges, installs persistent malware, steals credentials, and pivots to other systems.
Likely Case
Malicious insider or compromised user account escalates privileges to install additional malware or maintain persistence.
If Mitigated
Attack limited to initial user context with proper file integrity monitoring and least privilege controls.
🎯 Exploit Status
Requires local user access. Exploitation involves simple file manipulation to trigger LOLBin execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.4.128 or later
Vendor Advisory: https://service.mcafee.com/?articleId=TS103318&page=shell&shell=article-view
Restart Required: No
Instructions:
1. Download latest McAfee Consumer Product Removal Tool from official McAfee site. 2. Run the updated removal tool. 3. Verify version is 10.4.128 or higher.
🔧 Temporary Workarounds
Remove vulnerable tool
windowsUninstall McAfee Consumer Product Removal Tool if not needed
Control Panel > Programs > Uninstall a program > Select McAfee Consumer Product Removal Tool > Uninstall
Restrict configuration file permissions
windowsSet restrictive ACLs on configuration files to prevent modification
icacls "C:\Program Files\McAfee\MCPR\config.xml" /deny Users:(W)
🧯 If You Can't Patch
- Implement strict file integrity monitoring on McAfee removal tool directories
- Apply least privilege principles - ensure users don't have write access to program directories
🔍 How to Verify
Check if Vulnerable:
Check if McAfee Consumer Product Removal Tool is installed and version is below 10.4.128Check Version:
Check registry: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\MCPR\Version or check program files directoryVerify Fix Applied:
Confirm version is 10.4.128 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to McAfee MCPR configuration files
- Suspicious child processes spawned from MCPR tool
Network Indicators:
- Unusual outbound connections from systems running vulnerable MCPR version
SIEM Query:
Process creation where parent process contains 'mcpr' AND (command line contains unusual parameters OR child process is suspicious)