Vulnerabilities Found in Top AntiVirus Software

Home/Security Update, Software Issues/Vulnerabilities Found in Top AntiVirus Software

Vulnerabilities Found in Top AntiVirus Software

Cyber Security researchers disclosed details of vulnerabilities found in popular Anti-Virus solutions that could enable attackers to elevate their privileges, thereby helping malware sustain its foothold on the compromised systems.

The flaw was found in antivirus solutions including:

  • Kaspersky
  • McAfee
  • Symantec
  • Fortinet
  • Check Point
  • Trend Micro
  • Avira, and
  • Microsoft Defender,

As per CyberArk, the first cause of many bugs, which is the default DACLs(Discretionary Access Control Lists) of the C:\ProgramData directory. On Windows, the ProgramData directory is used by applications to store data that is not specific to a user. 

Below are the list of Vulnerability CVE’s found on the AntiVirus software’s:

Kaspersky Security CenterCVE-2020-25043, CVE-2020-25044, CVE-2020-25045
McAfee Endpoint Security and McAfee Total ProtectionCVE-2020-7250, CVE-2020-7310
Symantec Norton Power EraserCVE-2019-1954
Fortinet FortiClientCVE-2020-9290
Check Point ZoneAlarm and Check Point Endpoint SecurityCVE-2019-8452
Trend Micro HouseCall for Home NetworksCVE-2019-19688, CVE-2019-19689, and three more unassigned flaws
Microsoft DefenderCVE-2019-1161

In one case, it was observed that two different processes — one privileged and the other run as an authenticated local user — shared the same log file, potentially allowing an attacker to exploit the privileged process to delete the file and create a symbolic link that would point to any desired arbitrary file with malicious content.

CyberArk researchers also explored the possibility of creating a new folder in “C:\ProgramData” before a privileged process is executed.

In TrendMicro, Fortinet, and on other AntiVirus, researchers found a major flaw called DLL Hijacking where it could be exploited by an attacker to place a malicious DLL file into the application directory and elevate privileges.

“The implications of these bugs are often full privilege escalation of the local system,” CyberArk researchers said. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization.”

How to Fix it?

  • Changing DACLs Before Usage – Altering the DACLs should be done in case we have a cleanup code on the uninstallation\update procedure. If not, we are vulnerable to arbitrary delete vulnerability.
  • Correct Impersonating – Accessing a file from two different security contexts, make sure the privileged process impersonation is on point throughout all code paths (easier said than done in some cases), or just use two different files. Having a file that can’t be deleted would prevent the creation of a mount point to \RPC Control.
  • Updating Installation Framework – Update the framework to the latest version from the official site, also consider switching to Windows MSIs as they are safer. This vulnerability class also holds for custom installers, which are not using any third-party vendors.
  • Using LoadLibraryEx – calling LoadLibraryEx, we can set the dwFlags argument to 0x800, which is  LOAD_LIBRARY_SEARCH_SYSTEM32, we eliminate the chance of loading a shady DLL altogether instead of using the old LoadLibrary API.

By | 2020-10-07T17:06:18+05:30 October 7th, 2020|Security Update, Software Issues|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!