Cybersecurity investigators today unveiled details of security vulnerabilities found in popular anti-virus solutions that could enable attackers to elevate their privileges, thereby helping malicious software maintain its foothold on the threatened systems.
According to a report published today by CyberArk researcher Eran Shimony and shared with The Hacker News, the high privileges often associated with anti-malware products make them more vulnerable to exploitation through file manipulation attacks , leading to a scenario where malicious software gains higher permissions on the system.
The bugs affect a wide range of antivirus solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, all of which are determined by the proper seller.
Chief among the flaws are the ability to delete files from arbitrary settings, allowing the attacker to delete any file in the system, as well as file corruption vulnerability that allows a bad actor to delete the contents of any file in the system.
Per CyberArk, the bugs originate from default DACLs (short for Optional Access Control Lists) for Windows “C: ProgramData” folder, namely through applications to store data for standard users without requiring additional permissions.
Given that all users have written and deleted permissions at the basic directory level, it increases the likelihood that privilege will increase when a privileged process creates a new folder in “ProgramData” that could be accessed later by privileged process.
|Kaspersky Security Center||CVE-2020-25043, CVE-2020-25044, CVE-2020-25045|
|McAfee Endpoint Security and McAfee Total Protection||CVE-2020-7250, CVE-2020-7310|
|Symantec Norton Power Eraser||CVE-2019-1954|
|Check Point ZoneAlarm and Check Point Endpoint Security||CVE-2019-8452|
|Micro HouseCall Trend for Home Networks||CVE-2019-19688, CVE-2019-19689, and three other unsigned defects|
In one case, two different processes – one privileged and the other running as an authenticated local user – were found to share the same log file, possibly allowing an attacker to exploit the privileged process to delete the file and create a symbolic link that would point to any desired arbitrary file with malicious content.
Subsequently, CyberArk researchers also explored the possibility of creating a new folder in “C: ProgramData” before implementing a privileged process.
In doing so, they discovered that when the McAfee antivirus installer is run after creating the “McAfee” folder, the standard user has full control over the directory, allowing the local user to gain higher permissions by performing an attack simplink.
On top of all that, an attacker could have hijacked a DLL hijacker in Trend Micro, Fortinet, and other antivirus solutions to place a malicious DLL file in the application’s directory and promote privileges.
Urging that access control lists must be restrictive to prevent arbitrary deletion vulnerabilities, CyberArk emphasized the need to update the installation frameworks to mitigate DLL Hacking attacks.
While these issues may have been addressed, the report reminds us that software vulnerabilities, including those aimed at offering anti-virus protection, can be a vehicle for malware.
“The implications of these bugs often exacerbate the full privilege of the local system,” said CyberArk researchers. Due to the high privilege level of security products, an error in them could help malware maintain its foothold and cause more damage to the organization. “