Recently, a security research firm disclosed that something’s not right with the popular anti-malware or antivirus software. Read on to know more…
Security flaws in popular anti-malware or antivirus software may unwittingly assist malware in gaining access to your system. As per research by CyberARK, certain flaws in antivirus software provide threat actors with the capability of privilege escalation in vulnerable systems. The number of exposed machines is huge, especially when every Windows system has at least one such software that can be exploited via file manipulation.
The Bugs
Anti-malware products run with high privileges, this means that the exploitation of any issues in these solutions could allow malicious software to elevated permissions and perform multiple malicious actions. According to the researchers, the bugs stem from Default Discretionary Access Control Lists (DACLs) of the C:\ProgramData directory. On Windows, the ProgramData directory is used by applications to store data, any user has read/write permissions on ProgramData instead of the %LocalAppData%, which is accessible by the current logged in user.
These lists are used by various applications to store data without without requiring additional permissions. As this process is not connected to a specific user, if a non-privileged user created a directory in ProgramData can be used later by a privileged process. The insufficient address space verification within IOCTL handlers of device drivers is another cause for the security risks in antivirus solutions.
Affected AV Products
Security experts explained that multiple anti-malware products are vulnerable to exploitation via file manipulation attacks, including antivirus solutions from popular AV brands. Some of the affected AV products are as follows
• Kaspersky: CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
• McAfee: CVE-2020-7250, CVE-2020-7310
• Symantec: CVE-2019-19548
• Fortinet: CVE-2020-9290
• Checkpoint: CVE-2019-8452
• Trend Micro: CVE-2019-19688, CVE-2019-19689 +3
• Avira: CVE-2020-13903
• Microsoft: CVE-2019-1161
• Avast + F-Secure – Waiting for Mitre
Tech Conclusion
The bugs listed at the beginning of the article allow full privileged escalation on local systems. Malicious actors can even gain a foothold in the system and wreak havoc on an organization.
CyberArk reached out to each of the aforementioned vendors with their findings, which have since patched their respective products. The good news is that the detected bugs are easily fixable. Although these security flaws have been addressed by the vendors, the discovery points to how the protectors of your system can also fall prey to malicious attacks.
The fact that anti-malware and threat mitigation softwares are plagued by vulnerabilities rated medium to highly severe is tantamount to them acting as a gateway to system resources, so to speak. In such scenarios, vigilance is the price that needs to be paid for safety.