{"vuid":"VU#287178","idnumber":"287178","name":"McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location","keywords":null,"overview":"### Overview\r\n\r\nMcAfee Agent contains a privilege escalation vulnerability due to the use of an `OPENSSLDIR` variable that specifies a location where an unprivileged Windows user may be able to place files.\r\n\r\n### Description\r\n\r\n**CVE-2022-0166**\r\n\r\nMcAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an `OPENSSLDIR` variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component.  A user who can place a specially-crafted `openssl.cnf` file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.\r\n\r\n### Impact\r\nBy placing a specially-crafted `openssl.cnf` in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.\r\n\r\n### Solution\r\n\r\n#### Apply an update\r\nThis vulnerability is [addressed](https://kc.mcafee.com/corporate/index?page=content&id=SB10378) in McAfee Agent version 5.7.5.\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://kc.mcafee.com/corporate/index?page=content&id=SB10378","https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor"],"cveids":["CVE-2022-0166"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2022-01-20T21:47:16.642603Z","publicdate":"2022-01-20T21:47:15.782345Z","datefirstpublished":"2022-01-20T21:47:16.668225Z","dateupdated":"2022-01-20T21:47:15.782337Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":61}