7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
12.6%
McAfee Agent contains a privilege escalation vulnerability due to the use of an OPENSSLDIR
variable that specifies a location where an unprivileged Windows user may be able to place files.
CVE-2022-0166
McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR
variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf
file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
By placing a specially-crafted openssl.cnf
in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.
This vulnerability is addressed in McAfee Agent version 5.7.5.
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
287178
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2021-11-16 Updated: 2022-01-20
Statement Date: January 19, 2022
CVE-2022-0166 | Affected |
---|
Fix released and published - https://kc.mcafee.com/corporate/index?page=content&id=SB10378
CVE IDs: | CVE-2022-0166 |
---|---|
Date Public: | 2022-01-20 Date First Published: |
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
12.6%