Security researchers from CyberArk Labs have identified vulnerabilities in popular antivirus products. In case of successful exploitation these gaps allow attackers to increase rights in the system. Since antiviruses work with elevated privileges, flaws in their code can be especially dangerous.
Malware that exploits such holes can not only bypass security solutions, but also firmly entrench itself in the attacked system
According to the experts of CyberArk Labs, many popular antiviruses can be used in attacks using file manipulation techniques. Among the affected products the researchers noted antiviruses from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira and Microsoft Defender.
Luckily, developers have already gotten rid of dangerous loopholes for cybercriminals, but it will still be useful to know what we were dealing with.
As explained by the experts, the main reason is the default permissions in the C:\ProgramData directory. This folder is used to store applications and any user on the system can read and write to this directory.
“It is logical that processes and services that are not tied to a particular user will use the ProgramData directory. This is why the permissions are configured so that any user can read and write to it, but there is also a gap – an attacker can remove certain files from those folders”,
– are written by experts in the report.
Thus, an attacker can use a privileged process to delete a file and create a symbolic link to another arbitrary malicious file.
The researchers also reported on DLL interception vulnerability in Trend Micro and Fortinet antivirus products. In this case, an attacker can “slip” a malicious DLL into the directory of the desired application and execute it with increased rights.
- Kaspersky – CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
- McAfee – CVE-2020-7250, CVE-2020-7310
- Symantec – CVE-2019-19548
- Fortinet – CVE-2020-9290
- Checkpoint – CVE-2019-8452
- Trend Micro – CVE-2019-19688, CVE-2019-19689 +3
- Avira – CVE-2020-13903
- Microsoft – CVE-2019-1161