Who’s Guarding the Guards Themselves?
Flaws in popular anti-malware or antivirus software may unwittingly assist malware in gaining access to your system.
As per research by CyberARK, certain flaws in antivirus software provide threat actors with the capability of privilege escalation in vulnerable systems. The number of exposed machines is huge, especially when every Windows system has at least one such software that can be exploited via file manipulation.
Why the bugs?
- According to the researchers, the bugs stem from Default Discretionary Access Control Lists (DACLs) of the C:\ProgramData directory. These lists are used by various applications to store data without without requiring additional permissions.
- As this process is not connected to a specific user, if a non-privileged user created a directory in ProgramData can be used later by a privileged process.
- The insufficient address space verification within IOCTL handlers of device drivers is another cause for the security risks in antivirus solutions.
Affected antivirus products
- Kaspersky: CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
- McAfee: CVE-2020-7250, CVE-2020-7310
- Symantec: CVE-2019-19548
- Fortinet: CVE-2020-9290
- Checkpoint: CVE-2019-8452
- Trend Micro: CVE-2019-19688, CVE-2019-19689 +3
- Avira: CVE-2020-13903
- Microsoft: CVE-2019-1161
These flaws are not the only way to reach infected systems. Other related incidents include:
- Windows 10 Microsoft Store can be exploited by a technique - wsreset.exe - that can bypass antivirus protection on a system, along with evading detection.
- The KryptoCibule malware family has been detected to dodge anti-malware to steal cryptocurrency.
The bugs listed at the beginning of the article allow full privileged escalation on local systems. Malicious actors can even gain a foothold in the system and wreak havoc on an organization. Although these flaws have been addressed by the vendors, the discovery points to how the protectors of your system can also fall prey to malicious attacks.