Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:15 PM
Connect Directly

New Research Finds Bugs in Every Anti-Malware Product Tested

Products from every vendor had issues that allowed attackers to elevate privileges on a system -- if they already were on it.

A majority of security tools that organizations use to defend against malware attacks are themselves vulnerable to exploits that allow attackers to escalate privileges on a compromised system, a new CyberArk study has found.

CyberArk tested products from multiple major security vendors, including Kaspersky, Symantec, Trend Micro, McAfee, and Check Point Software Technologies, and says it found vulnerabilities in every single one.

Related Content:

5 Soothing Security Products We Wish Existed

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

The bugs CyberArk reported to the vendors, which have since patched them, include three in Kaspersky's malware detection and removal products; two in McAfee's portfolio; one each in products from Symantec, Fortinet, and CheckPoint; and five in products from Trend Micro. CyberArk also uncovered vulnerabilities in products from Microsoft, Avast, and Avira, among others.

With all of the vulnerabilities, an attacker would already need to have local access on a system in order to exploit them. Security researchers often don't consider such bugs to be as critical as those that allow unauthenticated remote execution.

Eran Shimony, the researcher at CyberArk who discovered the flaws, says the vulnerabilities identified in the company's research share the same root cause: incorrect use of system resources when an app is running in a privileged context. According to Shimony, all of the security products that CyberArk tested were vulnerable to DLL hijacking — a technique where attackers essentially load a malicious file into a privileged process.

"By doing that we were able to run code inside the DLLMain function, which is then executed immediately after loading the DLL, allowing for a code execution inside a privileged application," he explains.

The second vulnerability involved a method to trick privileged applications into targeting a different file while doing a read, write, or delete operation, Shimony says.  

"This allows us to alter the content of protected files, like those being used by the operating system," he says.

The security researcher says two mistakes were apparent in every single product CyberArk tested. The first was the failure by the vendors to prevent the security apps — which almost always run in a privileged context on a system — to load DLLs from unsafe locations without verifying whether they were digitally signed.

"If the vendors change the way the application tries to load DLLs, either by using absolute paths or by enforcing digital signatures, the issue would not exist," he says.

The second problem Shimony says he discovered was the sharing of resources between low- and high-privileged apps.

"If a low-privileged application accesses a resource — like a log file that a service accesses to perform write operations — then the service must execute the write operation in the context of the low-privileged application," he says. Otherwise, a malicious user could exploit the issue to escalate privileges on the system.

Vendor Response
Two of the impacted vendors Dark Reading contacted say they addressed the issues CyberArk uncovered in their products.

A spokesman from Kaspersky on Tuesday described the vulnerabilities that CyberArk discovered as enabling local attacks — or exploits that are possible only after an attacker already has authenticated access to a system. Some of them also can be exploited only during the product installation stage, the company said.

Of the three vulnerabilities in its products, one (CVE-2020-25045) enables privilege escalation, another (CVE-2020-25044) lets an attacker delete the content of any file on the compromised system, and the third (CVE-2020-25043) would let an attacker delete entire files on any vulnerable system. The list of impacted Kaspersky products include versions of its VPN Secure Connection product prior to 5.0, Kaspersky Virus Removal Tool prior to, and Kaspersky Security Center prior to 12.

"We recommend that our users check the application version they are currently running and install the latest updates," the Kaspersky spokesman said in a statement.

Jon Clay, director of global threat communications at Trend Micro, says his company patched the flaws back in December 2019.  

"These vulnerabilities were given a medium severity rating," Clay says, noting that access to the machine would be needed in order to drop the malicious DLL payload and escalate privileges. "Due to the need for direct access to a victim machine, these would not be easy to exploit."

The bugs Shimony discovered were easily patchable and in some cases only required "a small touch-up in the code," he adds.

"The best measure organizations can take is [to ensure they] have the latest updates installed and make sure every privileged program is fully patched," Shimony says. "Attackers could use these techniques to escalate privileges, so it's critical to ensure that all privileged accounts are properly secured."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/8/2020 | 4:06:09 PM
Interesting post, thank you for sharing.
ONe question I would ask, if holes have been found in every product identified, was this done intentionally and if so, we there someone (i.e. NSA) who ask to leave the holes open.

In addition, to privilege and DLL access, this has been problematic from day one (Microsoft is known for such vulnerabilities). They stated that they patched the holes, has CyberArk done research to see if the patches fixed the problem.


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...