Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:15 PM
Connect Directly

New Research Finds Bugs in Every Anti-Malware Product Tested

Products from every vendor had issues that allowed attackers to elevate privileges on a system -- if they already were on it.

A majority of security tools that organizations use to defend against malware attacks are themselves vulnerable to exploits that allow attackers to escalate privileges on a compromised system, a new CyberArk study has found.

CyberArk tested products from multiple major security vendors, including Kaspersky, Symantec, Trend Micro, McAfee, and Check Point Software Technologies, and says it found vulnerabilities in every single one.

Related Content:

5 Soothing Security Products We Wish Existed

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

The bugs CyberArk reported to the vendors, which have since patched them, include three in Kaspersky's malware detection and removal products; two in McAfee's portfolio; one each in products from Symantec, Fortinet, and CheckPoint; and five in products from Trend Micro. CyberArk also uncovered vulnerabilities in products from Microsoft, Avast, and Avira, among others.

With all of the vulnerabilities, an attacker would already need to have local access on a system in order to exploit them. Security researchers often don't consider such bugs to be as critical as those that allow unauthenticated remote execution.

Eran Shimony, the researcher at CyberArk who discovered the flaws, says the vulnerabilities identified in the company's research share the same root cause: incorrect use of system resources when an app is running in a privileged context. According to Shimony, all of the security products that CyberArk tested were vulnerable to DLL hijacking — a technique where attackers essentially load a malicious file into a privileged process.

"By doing that we were able to run code inside the DLLMain function, which is then executed immediately after loading the DLL, allowing for a code execution inside a privileged application," he explains.

The second vulnerability involved a method to trick privileged applications into targeting a different file while doing a read, write, or delete operation, Shimony says.  

"This allows us to alter the content of protected files, like those being used by the operating system," he says.

The security researcher says two mistakes were apparent in every single product CyberArk tested. The first was the failure by the vendors to prevent the security apps — which almost always run in a privileged context on a system — to load DLLs from unsafe locations without verifying whether they were digitally signed.

"If the vendors change the way the application tries to load DLLs, either by using absolute paths or by enforcing digital signatures, the issue would not exist," he says.

The second problem Shimony says he discovered was the sharing of resources between low- and high-privileged apps.

"If a low-privileged application accesses a resource — like a log file that a service accesses to perform write operations — then the service must execute the write operation in the context of the low-privileged application," he says. Otherwise, a malicious user could exploit the issue to escalate privileges on the system.

Vendor Response
Two of the impacted vendors Dark Reading contacted say they addressed the issues CyberArk uncovered in their products.

A spokesman from Kaspersky on Tuesday described the vulnerabilities that CyberArk discovered as enabling local attacks — or exploits that are possible only after an attacker already has authenticated access to a system. Some of them also can be exploited only during the product installation stage, the company said.

Of the three vulnerabilities in its products, one (CVE-2020-25045) enables privilege escalation, another (CVE-2020-25044) lets an attacker delete the content of any file on the compromised system, and the third (CVE-2020-25043) would let an attacker delete entire files on any vulnerable system. The list of impacted Kaspersky products include versions of its VPN Secure Connection product prior to 5.0, Kaspersky Virus Removal Tool prior to, and Kaspersky Security Center prior to 12.

"We recommend that our users check the application version they are currently running and install the latest updates," the Kaspersky spokesman said in a statement.

Jon Clay, director of global threat communications at Trend Micro, says his company patched the flaws back in December 2019.  

"These vulnerabilities were given a medium severity rating," Clay says, noting that access to the machine would be needed in order to drop the malicious DLL payload and escalate privileges. "Due to the need for direct access to a victim machine, these would not be easy to exploit."

The bugs Shimony discovered were easily patchable and in some cases only required "a small touch-up in the code," he adds.

"The best measure organizations can take is [to ensure they] have the latest updates installed and make sure every privileged program is fully patched," Shimony says. "Attackers could use these techniques to escalate privileges, so it's critical to ensure that all privileged accounts are properly secured."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
10/8/2020 | 4:06:09 PM
Interesting post, thank you for sharing.
ONe question I would ask, if holes have been found in every product identified, was this done intentionally and if so, we there someone (i.e. NSA) who ask to leave the holes open.

In addition, to privilege and DLL access, this has been problematic from day one (Microsoft is known for such vulnerabilities). They stated that they patched the holes, has CyberArk done research to see if the patches fixed the problem.


7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.