Exploitation for Priv-Esc × Trellix Agent for Linux

A publicly-reported instance of Exploitation for Priv-Esc bypassing Trellix Agent for Linux, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Trellix Agent for Linux

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-01-09

Config / version noted

Yes

Provenance

www.sentinelone.com
disclosed 2024-01-09 · original source · via exa

Reported as

buffer overflow vulnerability in Trellix Agent ... macOS prior to version 5.8.1 ... escalate privileges to root

Mechanism

The Trellix Agent service, running as root, fails to validate input size when reading from files, leading to a classic buffer overflow (CWE-120). An attacker with local access can craft oversized input to corrupt memory, potentially executing arbitrary code with root privileges or crashing the service.

Detection & mitigation

Monitor for unexpected child processes spawned by the Trellix Agent service (e.g., via process creation logs with parent process name 'maconfig' or 'macmnsvc') and for abnormal file writes to agent configuration directories. Mitigate by applying the vendor patch (version 5.8.1 or later) and restricting local access to the agent's file paths.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.