A majority of security tools that organizations use to defend against malware attacks are themselves vulnerable to exploits that allow attackers to escalate privileges on a compromised system, a new CyberArk study has found.
CyberArk tested products from multiple major security vendors, including Kaspersky, Symantec, Trend Micro, McAfee, and Check Point Software Technologies, and says it found vulnerabilities in every single one.
The bugs CyberArk reported to the vendors, which have since patched them, include three in Kaspersky's malware detection and removal products; two in McAfee's portfolio; one each in products from Symantec, Fortinet, and CheckPoint; and five in products from Trend Micro. CyberArk also uncovered vulnerabilities in products from Microsoft, Avast, and Avira, among others.
With all of the vulnerabilities, an attacker would already need to have local access on a system in order to exploit them. Security researchers often don't consider such bugs to be as critical as those that allow unauthenticated remote execution.
Eran Shimony, the researcher at CyberArk who discovered the flaws, says the vulnerabilities identified in the company's research share the same root cause: incorrect use of system resources when an app is running in a privileged context. According to Shimony, all of the security products that CyberArk tested were vulnerable to DLL hijacking — a technique where attackers essentially load a malicious file into a privileged process.
"By doing that we were able to run code inside the DLLMain function, which is then executed immediately after loading the DLL, allowing for a code execution inside a privileged application," he explains.
The second vulnerability involved a method to trick privileged applications into targeting a different file while doing a read, write, or delete operation, Shimony says.
"This allows us to alter the content of protected files, like those being used by the operating system," he says.
The security researcher says two mistakes were apparent in every single product CyberArk tested. The first was the failure by the vendors to prevent the security apps — which almost always run in a privileged context on a system — to load DLLs from unsafe locations without verifying whether they were digitally signed.
"If the vendors change the way the application tries to load DLLs, either by using absolute paths or by enforcing digital signatures, the issue would not exist," he says.
The second problem Shimony says he discovered was the sharing of resources between low- and high-privileged apps.
"If a low-privileged application accesses a resource — like a log file that a service accesses to perform write operations — then the service must execute the write operation in the context of the low-privileged application," he says. Otherwise, a malicious user could exploit the issue to escalate privileges on the system.
Two of the impacted vendors Dark Reading contacted say they addressed the issues CyberArk uncovered in their products.
A spokesman from Kaspersky on Tuesday described the vulnerabilities that CyberArk discovered as enabling local attacks — or exploits that are possible only after an attacker already has authenticated access to a system. Some of them also can be exploited only during the product installation stage, the company said.
Of the three vulnerabilities in its products, one (CVE-2020-25045) enables privilege escalation, another (CVE-2020-25044) lets an attacker delete the content of any file on the compromised system, and the third (CVE-2020-25043) would let an attacker delete entire files on any vulnerable system. The list of impacted Kaspersky products include versions of its VPN Secure Connection product prior to 5.0, Kaspersky Virus Removal Tool prior to 188.8.131.52, and Kaspersky Security Center prior to 12.
"We recommend that our users check the application version they are currently running and install the latest updates," the Kaspersky spokesman said in a statement.
Jon Clay, director of global threat communications at Trend Micro, says his company patched the flaws back in December 2019.
"These vulnerabilities were given a medium severity rating," Clay says, noting that access to the machine would be needed in order to drop the malicious DLL payload and escalate privileges. "Due to the need for direct access to a victim machine, these would not be easy to exploit."
The bugs Shimony discovered were easily patchable and in some cases only required "a small touch-up in the code," he adds.
"The best measure organizations can take is [to ensure they] have the latest updates installed and make sure every privileged program is fully patched," Shimony says. "Attackers could use these techniques to escalate privileges, so it's critical to ensure that all privileged accounts are properly secured."