McAfee McAgent
McAfee McAgent (McAfee Interface Management Agent) is the graphical user interface (on-screen GUI) component of the widely used McAfee Security Center. McAgent (system process mcagent.exe) is included with McAfee’s cybersecurity programs and suites. Furthermore, McAgent is usually a ‘buggy’ process that receives a lot of complaints, and one that Windows programs often detect as a false positive for a virus.
The Vulnerability
The software vulnerability report Security Bulletin was released on the official McAfee portal on September 28th, 2021 as an update to the original release which was posted on September 21st, 2021. The technical name of this particular software vulnerability is Untrusted Search Path. According to the Security Bulletin, “In all three issues, the attacker would need to place files on the local machine to exploit them.” McAfee credits L ukasz Rupala from ING TechPL who reported this flaw.
Technical Details
A DLL side loading vulnerability in McAfee Agent for Windows (before version 5.7.4) could allow a local user to perform a DLL sideloading attack with an unsigned DLL with a specific name and in a specific location. This would result in the user gaining elevated permissions and the ability to execute arbitrary code as the system user, through not checking the DLL signature
Vulnerable Software Versions
McAfee Agent versions 5.74 and below are vulnerable to this issue.
Important User Information
There is a patch available that resolves the software vulnerability security issues. It is recommended that McAfee enterprise users visit the McAfee product downloads section and pick up the latest version of the Security Center. For the consumer version, users can visit the product download pages and grab the fixed version on the consumer portal. Note: McAfee states that determining whether an ePO/server product is vulnerable can be deduced via the following steps; “Use the following instructions for server-based products:
Check the version and build of ePO that is installed. Create a query in ePO for the product version of the product installed within your organization.”