CyberArk Labs Experts Identified Bugs in Popular Antivirus Products
CyberArk Labs specialists published a report revealing a number of bugs in popular antivirus products from leading industry brands. According to this report, high privileges of antivirus software make it more vulnerable.
As a result, security solutions can be used for file manipulation attacks, and malware can gain elevated rights in the system.
Errors of this kind have been found in products from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender.
Currently, developers have already fixed all the problems, and the identifiers assigned to them can be seen below (Avast and F-Secure solutions are still awaiting CVE assignment).
| Antivirus | Vulnerabilities |
| Kaspersky Security Center | CVE-2020-25043, CVE-2020-25044, CVE-2020-25045 |
| McAfee Endpoint Security and McAfee Total Protection | CVE-2020-7250, CVE-2020-7310 |
| Symantec Norton Power Eraser | CVE-2019-1954 |
| Fortinet FortiClient | CVE-2020-9290 |
| Check Point ZoneAlarm and Check Point Endpoint Security | CVE-2019-8452 |
| Trend Micro HouseCall for Home Networks | CVE-2019-19688, CVE-2019-19689 and three more problems, so far without identifiers CVE |
| Avira | CVE-2020-13903 |
| Microsoft Defender | CVE-2019-1161 |
Researchers say that the main flaws found in anti-viruses are the ability to delete files from arbitrary locations, which allows an attacker to erase any file on the system. Researches also noted similar file corruption vulnerability, which allows deleting the contents of any file on the system.
According to the report, problems mainly arise from the default DACLs (Discretionary Access Control Lists) for the C:\ProgramData folder on Windows, which is used by applications to store user data without additional permissions.
“Since every user can writing and deleting rights at the base directory level, there is an increased likelihood of abuse of privilege escalation when an unprivileged process creates a new folder in ProgramData, which can then be accessed by a privileged process”, – say CyberArk Labs researchers.
It has been observed that when two different processes (one privileged and the other running as an authenticated local user) share the same log file, an attacker can use the privileged process to delete the file and create a symbolic link that points to an arbitrary file with malicious content.
CyberArk Labs analysts also examined the possibility of creating a new folder in C:\ProgramData before executing the privileged process.
Specifically, they found that the McAfee antivirus installation process starts after the McAfee folder is created, at which time a standard user has full control over the directory, can gain elevated privileges, and execute a symlink attack.
In addition, the researchers report that Trend Micro products, Fortinet, and so on may have been used to place a malicious DLL file in the application directory and then escalate privileges.
Let me remind about the fact that Microsoft Defender Antivirus for Windows 10 allows using it to download viruses, malware, and other files to Windows computer. However, Microsoft specialists have also fixed this bug.
