Recently, the cybersecurity expert has revealed all the details of security vulnerabilities that are found in popular antivirus solutions that could allow the threat actors to promote their escalated privileges.
In one of the reports that have been assembled by the CyberArk security team claims that all these high privileges are connected with anti-malware products. These products present them more vulnerable to exploitation through a file manipulation attacks, appearing in a situation where malware obtains advanced permissions on the system.
Affected Antivirus and Associated CVEs
- Kaspersky: CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
- McAfee: CVE-2020-7250, CVE-2020-7310
- Symantec: CVE-2019-19548
- Fortinet: CVE-2020-9290
- Checkpoint: CVE-2019-8452
- Trend Micro: CVE-2019-19688, CVE-2019-19689 +3
- Avira: CVE-2020-13903
- Microsoft: CVE-2019-1161
- Avast: Waiting for Mitre
- F-Secure: Waiting for Mitre
The ProgramData record is applied by applications to collect data that is not distinct to a user. It implies that the processed services that are not attached to a particular user would use ProgramData rather than %LocalAppData%, which is available by the current logged in user.
All these bugs are caused by the default DACLs for the “C:ProgramData” folder of Windows. As we said that while using this application, the users can collect data without asking for further permission.
Most of the user has both write and delete permission on the base level of the index; it increases the possibility of a privileged right when a non-privileged process generates a new folder in “ProgramData” that could be later obtained by a privileged method.
Shared Log File Bug
Shared the same log file possibly enables the threat actor to exploit the privileged method to remove all the files and generate a symbolic link that would point to any craved arbitrary file with ill-disposed content.
Not only this, but the CyberArk experts have also demonstrated that it is probable to build a fresh folder in “C:ProgramData” before a privileged method, linked with antivirus software, that has been performed.
DLL hijacking provides the best possibilities for ill-disposed users to increase their privileges in many ways. This opportunity are most profitable for the threat actors, as vendors update the interior packages, but they often overlook to update the installer package.
However, privilege increase through DLL Hijacking must not depend on writeable records in the %PATH%. And that’s why we have mentioned some partial shortlist of installation frameworks that have been found vulnerable to such an attack. Here are the installation frameworks mentioned below:-
- Nsis installer
- Wix installer
According to the CyberArk report, there are some solution that can bypass this vulnerability, and these solutions are very easy to apply, here we have mentioned below:-
- Change DACLs before Usage
- Correct Impersonating
- Update Installation Framework
- Use LoadLibraryEx
All these data that we have mentioned are beneficial and easy to apply. Apart from this, the implications of these bugs are usually full privilege increase in the local system.
Just because of the high privilege level of security products, an inaccuracy could serve the malware to maintain its foothold and generate more losses to the company.