Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/6/2020
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Research Finds Bugs in Every Anti-Malware Product Tested

Products from every vendor had issues that allowed attackers to elevate privileges on a system -- if they already were on it.

A majority of security tools that organizations use to defend against malware attacks are themselves vulnerable to exploits that allow attackers to escalate privileges on a compromised system, a new CyberArk study has found.

CyberArk tested products from multiple major security vendors, including Kaspersky, Symantec, Trend Micro, McAfee, and Check Point Software Technologies, and says it found vulnerabilities in every single one.

Related Content:

5 Soothing Security Products We Wish Existed

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

The bugs CyberArk reported to the vendors, which have since patched them, include three in Kaspersky's malware detection and removal products; two in McAfee's portfolio; one each in products from Symantec, Fortinet, and CheckPoint; and five in products from Trend Micro. CyberArk also uncovered vulnerabilities in products from Microsoft, Avast, and Avira, among others.

With all of the vulnerabilities, an attacker would already need to have local access on a system in order to exploit them. Security researchers often don't consider such bugs to be as critical as those that allow unauthenticated remote execution.

Eran Shimony, the researcher at CyberArk who discovered the flaws, says the vulnerabilities identified in the company's research share the same root cause: incorrect use of system resources when an app is running in a privileged context. According to Shimony, all of the security products that CyberArk tested were vulnerable to DLL hijacking — a technique where attackers essentially load a malicious file into a privileged process.

"By doing that we were able to run code inside the DLLMain function, which is then executed immediately after loading the DLL, allowing for a code execution inside a privileged application," he explains.

The second vulnerability involved a method to trick privileged applications into targeting a different file while doing a read, write, or delete operation, Shimony says.  

"This allows us to alter the content of protected files, like those being used by the operating system," he says.

The security researcher says two mistakes were apparent in every single product CyberArk tested. The first was the failure by the vendors to prevent the security apps — which almost always run in a privileged context on a system — to load DLLs from unsafe locations without verifying whether they were digitally signed.

"If the vendors change the way the application tries to load DLLs, either by using absolute paths or by enforcing digital signatures, the issue would not exist," he says.

The second problem Shimony says he discovered was the sharing of resources between low- and high-privileged apps.

"If a low-privileged application accesses a resource — like a log file that a service accesses to perform write operations — then the service must execute the write operation in the context of the low-privileged application," he says. Otherwise, a malicious user could exploit the issue to escalate privileges on the system.

Vendor Response
Two of the impacted vendors Dark Reading contacted say they addressed the issues CyberArk uncovered in their products.

A spokesman from Kaspersky on Tuesday described the vulnerabilities that CyberArk discovered as enabling local attacks — or exploits that are possible only after an attacker already has authenticated access to a system. Some of them also can be exploited only during the product installation stage, the company said.

Of the three vulnerabilities in its products, one (CVE-2020-25045) enables privilege escalation, another (CVE-2020-25044) lets an attacker delete the content of any file on the compromised system, and the third (CVE-2020-25043) would let an attacker delete entire files on any vulnerable system. The list of impacted Kaspersky products include versions of its VPN Secure Connection product prior to 5.0, Kaspersky Virus Removal Tool prior to 15.0.23.0, and Kaspersky Security Center prior to 12.

"We recommend that our users check the application version they are currently running and install the latest updates," the Kaspersky spokesman said in a statement.

Jon Clay, director of global threat communications at Trend Micro, says his company patched the flaws back in December 2019.  

"These vulnerabilities were given a medium severity rating," Clay says, noting that access to the machine would be needed in order to drop the malicious DLL payload and escalate privileges. "Due to the need for direct access to a victim machine, these would not be easy to exploit."

The bugs Shimony discovered were easily patchable and in some cases only required "a small touch-up in the code," he adds.

"The best measure organizations can take is [to ensure they] have the latest updates installed and make sure every privileged program is fully patched," Shimony says. "Attackers could use these techniques to escalate privileges, so it's critical to ensure that all privileged accounts are properly secured."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
10/8/2020 | 4:06:09 PM
Interesting post, thank you for sharing.
ONe question I would ask, if holes have been found in every product identified, was this done intentionally and if so, we there someone (i.e. NSA) who ask to leave the holes open.

In addition, to privilege and DLL access, this has been problematic from day one (Microsoft is known for such vulnerabilities). They stated that they patched the holes, has CyberArk done research to see if the patches fixed the problem.

 

T
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29129
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-26936
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
CVE-2020-29042
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVE-2020-29043
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.