CVE-2022-0166 Overview
A privilege escalation vulnerability exists in McAfee Agent prior to version 5.7.5 that allows a low-privileged local user to execute arbitrary code with SYSTEM privileges. The vulnerability stems from how McAfee Agent handles the OpenSSL configuration file path during the build process, specifically by specifying the OPENSSLDIR variable as a subdirectory within the installation directory that can be manipulated by unprivileged users.
Critical Impact
Local attackers with low privileges can escalate to SYSTEM-level access by creating a malicious openssl.cnf file in a specifically crafted directory path, enabling complete system compromise.
Affected Products
- McAfee Agent for Windows (versions prior to 5.7.5)
Discovery Timeline
- 2022-01-19 - CVE-2022-0166 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0166
Vulnerability Analysis
This vulnerability is classified as CWE-427 (Uncontrolled Search Path Element), a weakness that occurs when an application searches for critical resources in locations where an attacker can place malicious alternatives. In the case of McAfee Agent, the build process hardcodes the OPENSSLDIR environment variable to point to a subdirectory within the installation directory. This directory path is accessible to low-privileged users on the system.
When OpenSSL-dependent operations are executed by the McAfee Agent service (which runs with SYSTEM privileges), the application searches for and potentially loads the openssl.cnf configuration file from the attacker-controlled location. This configuration file can specify arbitrary OpenSSL engine modules to be loaded, allowing an attacker to inject and execute malicious code in the context of the SYSTEM account.
Root Cause
The root cause of this vulnerability lies in the insecure build configuration of McAfee Agent. During the build process, the OPENSSLDIR variable is set to a subdirectory within the McAfee Agent installation path. On Windows systems, this directory may have weak access controls that permit low-privileged users to create subdirectories and files. The application fails to validate or restrict access to the OpenSSL configuration file location, creating an uncontrolled search path vulnerability.
Attack Vector
The attack requires local access to the affected system with low-privilege user credentials. An attacker would need to:
- Identify the OPENSSLDIR path used by McAfee Agent
- Create the necessary directory structure within that path
- Place a crafted openssl.cnf file containing malicious OpenSSL engine directives
- Wait for or trigger an OpenSSL operation by the McAfee Agent service running as SYSTEM
The malicious configuration file can specify a custom OpenSSL engine library (DLL) that will be loaded when the McAfee Agent performs cryptographic operations. This allows arbitrary code execution with SYSTEM privileges, achieving a local privilege escalation attack.
Detection Methods for CVE-2022-0166
Indicators of Compromise
- Unexpected directory creation within the McAfee Agent installation path, particularly directories leading to an openssl.cnf file
- Presence of suspicious openssl.cnf files in non-standard locations within the McAfee installation directory
- Unusual DLL files appearing in McAfee Agent-related directories that could be malicious OpenSSL engine modules
Detection Strategies
- Monitor file system changes within the McAfee Agent installation directory for creation of new subdirectories or configuration files
- Implement endpoint detection rules to alert on low-privileged processes creating files in protected application directories
- Use SentinelOne's behavioral AI to detect anomalous process behavior when McAfee Agent loads unexpected modules
Monitoring Recommendations
- Enable auditing on the McAfee Agent installation directory to track file and folder creation events
- Monitor for processes spawned by the McAfee Agent service that exhibit suspicious behavior or load unexpected DLLs
- Review Windows Security Event logs for evidence of privilege escalation attempts
How to Mitigate CVE-2022-0166
Immediate Actions Required
- Upgrade McAfee Agent to version 5.7.5 or later immediately
- Audit the McAfee Agent installation directory for any unauthorized subdirectories or openssl.cnf files
- Implement application whitelisting to prevent loading of unauthorized DLLs by the McAfee Agent service
- Restrict file system permissions on the McAfee Agent installation directory to prevent low-privileged user modifications
Patch Information
McAfee has released version 5.7.5 of McAfee Agent to address this vulnerability. The patch modifies how the application handles OpenSSL configuration paths to prevent exploitation. Administrators should apply this update through their standard McAfee ePO management console or manual installation procedures. For detailed patching instructions, refer to the McAfee Security Bulletin SB10378. Additional technical information is available from CERT Vulnerability ID 287178.
Workarounds
- Manually restrict NTFS permissions on the McAfee Agent installation directory to prevent non-administrative users from creating subdirectories
- Deploy endpoint protection solutions like SentinelOne to detect and block exploitation attempts through behavioral analysis
- Implement the principle of least privilege to minimize the number of users with local access to systems running McAfee Agent
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
