Security researchers from CyberArk Labs published the details of security vulnerabilities found in popular antivirus solutions.
Security researchers from CyberArk Labs published the details of security vulnerabilities found in popular antivirus solutions. The flaws could be exploited by attackers to expand their privileges on the target system.
Experts reported that multiple anti-malware products are vulnerable to exploitation via file manipulation attacks including antivirus solutions from Kaspersky, Trend Micro, Fortinet, McAfee, Check Point, Avira, Symantec and Microsoft Defender. The security vendors have addressed the vulnerabilities reported by the researchers.
“We begin with the first cause of many bugs, which is the default DACLs of the C:ProgramData directory. On Windows, the ProgramData directory is used by applications to store data that is not specific to a user. This means that processesservices that are not tied to a specific user would probably use ProgramData instead of the %LocalAppData%, which is accessible by the current logged in user, ” reads the analysis published by CyberArk.
The flaw could delete files from arbitrary locations, allowing the attacker to delete any file in the system.
A privilege escalation could be achieved when a non-privileged process creates a new folder in “ProgramData” that could be later accessed by a privileged process, like the one associated with an antivirus solution.
The analysis provides details about a shared Log File issue that affects the antivirus solution designed by Avira.
An attacker could exploit the privileged process to delete the file and create a symlink that would point to any arbitrary file on the target system with malicious content.
CyberArk researchers pointed out that it is possible to create a new folder in “C:ProgramData” before a privileged process is executed.
The experts explained that McAfee antivirus installer is implemented after creating the “McAfee” folder, the standard user has full power over the directory, this means that the local user could gain elevated permissions through a symlink attack.
Researchers reported DLL hijacking flaws in Trend Micro, Fortinet, and other antivirus solutions that could allow attackers to execute a malicious DLL file into the application directory and elevated privileges.
The list of issues discovered by the experts is reported below:
- Kaspersky CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
- McAfee CVE-2020-7250, CVE-2020-7310
- Symantec CVE-2019-19548
- Fortinet CVE-2020-9290
- Checkpoint CVE-2019-8452
- Trend Micro CVE-2019-19688, CVE-2019-19689 +3
- Avira – CVE-2020-13903
- Microsoft-CVE-2019-1161
- Avast + F-Secure – Waiting for Mitre
“The implications of these bugs are often full privilege escalation of the local system, due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization, ” said CyberArk researchers.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?