Cyber Security researchers disclosed details of vulnerabilities found in popular Anti-Virus solutions that could enable attackers to elevate their privileges, thereby helping malware sustain its foothold on the compromised systems.
The flaw was found in antivirus solutions including:
- Check Point
- Trend Micro
- Avira, and
- Microsoft Defender,
As per CyberArk, the first cause of many bugs, which is the default DACLs(Discretionary Access Control Lists) of the C:\ProgramData directory. On Windows, the ProgramData directory is used by applications to store data that is not specific to a user.
Below are the list of Vulnerability CVE’s found on the AntiVirus software’s:
|Kaspersky Security Center||CVE-2020-25043, CVE-2020-25044, CVE-2020-25045|
|McAfee Endpoint Security and McAfee Total Protection||CVE-2020-7250, CVE-2020-7310|
|Symantec Norton Power Eraser||CVE-2019-1954|
|Check Point ZoneAlarm and Check Point Endpoint Security||CVE-2019-8452|
|Trend Micro HouseCall for Home Networks||CVE-2019-19688, CVE-2019-19689, and three more unassigned flaws|
In one case, it was observed that two different processes — one privileged and the other run as an authenticated local user — shared the same log file, potentially allowing an attacker to exploit the privileged process to delete the file and create a symbolic link that would point to any desired arbitrary file with malicious content.
CyberArk researchers also explored the possibility of creating a new folder in “C:\ProgramData” before a privileged process is executed.
In TrendMicro, Fortinet, and on other AntiVirus, researchers found a major flaw called DLL Hijacking where it could be exploited by an attacker to place a malicious DLL file into the application directory and elevate privileges.
“The implications of these bugs are often full privilege escalation of the local system,” CyberArk researchers said. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization.”
How to Fix it?
- Changing DACLs Before Usage – Altering the DACLs should be done in case we have a cleanup code on the uninstallation\update procedure. If not, we are vulnerable to arbitrary delete vulnerability.
- Correct Impersonating – Accessing a file from two different security contexts, make sure the privileged process impersonation is on point throughout all code paths (easier said than done in some cases), or just use two different files. Having a file that can’t be deleted would prevent the creation of a mount point to \RPC Control.
- Updating Installation Framework – Update the framework to the latest version from the official site, also consider switching to Windows MSIs as they are safer. This vulnerability class also holds for custom installers, which are not using any third-party vendors.
- Using LoadLibraryEx – calling LoadLibraryEx, we can set the dwFlags argument to 0x800, which is LOAD_LIBRARY_SEARCH_SYSTEM32, we eliminate the chance of loading a shady DLL altogether instead of using the old LoadLibrary API.