CVE-2022-29594
📋 TL;DR
CVE-2022-29594 is a privilege escalation vulnerability in eG Agent versions before 7.2 due to weak file permissions. This allows local attackers to gain SYSTEM-level privileges on Windows systems. Organizations using vulnerable eG Agent versions for monitoring are affected.
💻 Affected Systems
- eG Agent
📦 What is this software?
Eg Agent by Eginnovations
Eg Manager by Eginnovations
Eg Rum Collectors by Eginnovations
Vm Agent by Eginnovations
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling complete control over the Windows host, installation of malware, credential theft, and lateral movement.
Likely Case
Local privilege escalation leading to persistence, data exfiltration, or disabling security controls on affected systems.
If Mitigated
Limited impact if proper access controls and least privilege principles are enforced, though SYSTEM access remains possible.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is well-documented with technical details available in public disclosures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2 and later
Vendor Advisory: https://www.eginnovations.com/
Restart Required: Yes
Instructions:
1. Download eG Agent version 7.2 or later from the official vendor website. 2. Stop the eG Agent service. 3. Install the updated version. 4. Restart the system to ensure all changes take effect.
🔧 Temporary Workarounds
Restrict File Permissions
windowsManually adjust file permissions on eG Agent directories to restrict write access to authorized users only.
icacls "C:\Program Files\eG Innovations\eG Agent\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /T
Service Account Hardening
windowsRun eG Agent with a dedicated service account with minimal privileges instead of SYSTEM.
sc config "eG Agent" obj= "DOMAIN\ServiceAccount" password= "password"
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local access to systems running eG Agent.
- Monitor for suspicious activity related to eG Agent processes and file modifications in SYSTEM directories.
🔍 How to Verify
Check if Vulnerable:
Check eG Agent version: Open eG Manager or check installation directory properties. Versions below 7.2 are vulnerable.Check Version:
wmic product where "name like 'eG Agent%'" get versionVerify Fix Applied:
Verify installed version is 7.2 or higher and check file permissions on eG Agent directories using 'icacls' command.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to eG Agent files or directories
- Process creation with SYSTEM privileges from non-standard accounts
- Failed permission changes on eG Agent directories
Network Indicators:
- Unusual outbound connections from systems running eG Agent after local access
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%eG Agent%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')