Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

CyberArk Labs Experts Identified Bugs in Popular Antivirus Products

Now Reading
CyberArk Labs Experts Identified Bugs in Popular Antivirus Products

CyberArk Labs specialists published a report revealing a number of bugs in popular antivirus products from leading industry brands. According to this report, high privileges of antivirus software make it more vulnerable.

As a result, security solutions can be used for file manipulation attacks, and malware can gain elevated rights in the system.

Errors of this kind have been found in products from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender.

Currently, developers have already fixed all the problems, and the identifiers assigned to them can be seen below (Avast and F-Secure solutions are still awaiting CVE assignment).

Antivirus Vulnerabilities
Kaspersky Security Center CVE-2020-25043, CVE-2020-25044, CVE-2020-25045
McAfee Endpoint Security and McAfee Total Protection CVE-2020-7250, CVE-2020-7310
Symantec Norton Power Eraser CVE-2019-1954
Fortinet FortiClient CVE-2020-9290
Check Point ZoneAlarm and Check Point Endpoint Security CVE-2019-8452
Trend Micro HouseCall for Home Networks CVE-2019-19688, CVE-2019-19689 and three more problems, so far without identifiers CVE
Avira CVE-2020-13903
Microsoft Defender CVE-2019-1161

Researchers say that the main flaws found in anti-viruses are the ability to delete files from arbitrary locations, which allows an attacker to erase any file on the system. Researches also noted similar file corruption vulnerability, which allows deleting the contents of any file on the system.

According to the report, problems mainly arise from the default DACLs (Discretionary Access Control Lists) for the C:\ProgramData folder on Windows, which is used by applications to store user data without additional permissions.

“Since every user can writing and deleting rights at the base directory level, there is an increased likelihood of abuse of privilege escalation when an unprivileged process creates a new folder in ProgramData, which can then be accessed by a privileged process”, – say CyberArk Labs researchers.

It has been observed that when two different processes (one privileged and the other running as an authenticated local user) share the same log file, an attacker can use the privileged process to delete the file and create a symbolic link that points to an arbitrary file with malicious content.

CyberArk Labs analysts also examined the possibility of creating a new folder in C:\ProgramData before executing the privileged process.

Specifically, they found that the McAfee antivirus installation process starts after the McAfee folder is created, at which time a standard user has full control over the directory, can gain elevated privileges, and execute a symlink attack.

In addition, the researchers report that Trend Micro products, Fortinet, and so on may have been used to place a malicious DLL file in the application directory and then escalate privileges.

Let me remind about the fact that Microsoft Defender Antivirus for Windows 10 allows using it to download viruses, malware, and other files to Windows computer. However, Microsoft specialists have also fixed this bug.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response