CyberArk security researcher found that anti-malware products from all major security vendors have a ‘staggering’ number of bugs, but these can, apparently, be ‘easily eliminated’. If exploited, the newly discovered bugs could lead to elevation of system privilege, arbitrary code execution, and file corruption through symlink and DLL hijacks.
It is quite unsettling that a considerable portion of the internet is swarming with malware, whose operators are out to ‘get you’. But it’s worse when the security programs that users diligently set up & run on their systems to keep malware at bay are themselves found to be laden with vulnerabilities. Reportedly, most such programs, also known as antivirus/anti-malware softwares, of almost all major vendors were found to have security vulnerabilities.
Eran ShimonyOpens a new window , Security Researcher at CyberArk published his findings after testing anti-malware products from Kaspersky, Symantec, McAfee, Checkpoint, Trend Micro, Fortinet, Avira, Microsoft, Avast and F-Secure. He found that these vulnerabilities can be exploited to gain elevated privileges via file manipulation attacks. Shimony noted in a blog post, “The irony of abusing anti-malware solutions to increase privilege is not lost on me; anti-malware solutions that are supposed to protect the user may unintentionally assist malware in gaining more privileges on the system.â€
These vulnerabilities, Shimony explains, stem from the fact that anti-malware programs have high privileges and that their implementation has been faulty, leading to improper utilization of system resources. In essence, something that is by design a disabler of malicious activities may inadvertently end up their enabler.
See Also: What to Do About Product-Imposed Vulnerabilities
So what were these vulnerabilities? Without going into too much detail, Shimony explained that all products are vulnerable to DLL exploits.Â
| Product By | Vulnerability | Severity Rating | Description |
| Kaspersky | CVE-2020-25045Opens a new window | 7.8 | High | DLL hijacking attack; allowed a threat actor to elevate privileges in the system. |
| CVE-2020-25044Opens a new window | 7.1 | High | Arbitrary file corruption vulnerability; allowed attacker to delete contents of files | |
| CVE-2020-25043Opens a new window | 7.1 | High | Arbitrary file corruption vulnerability; allowed attacker to delete contents of files | |
| McAfee | CVE-2020-7250Opens a new window | 7.8 | High | Symbolic link or symlink manipulation vulnerability; grants escalation of privileges |
| CVE-2020-7310Opens a new window | 6.9 | Medium | Privilege Escalation vulnerability; allows local users to alter files under write protection rules through symlink manipulation | |
| Symantec | CVE-2019-19548Opens a new window | 7.8 | High | Privilege escalation vulnerability; attacker can gain elevated access to protected resources |
| Fortinet | CVE-2020-9290Opens a new window | 7.8 | High | Unsafe Search Path vulnerability; can result in arbitrary code execution through malicious DLL files |
| Checkpoint | CVE-2019-8452Opens a new window | 7.8 | High | Grants high privileges and access rights by changing permission |
| Trend Micro | CVE-2019-19688Opens a new window | 7.8 | High | Privilege escalation vulnerability through a malicious DLL file |
| CVE-2019-19689Opens a new window | 7.8 | High | Susceptible to DLL hijacks | |
| Avira | CVE-2020-13903 | NA | Can result in symlink attack |
| Microsoft | CVE-2019-1161Opens a new window | 7.1 | High | Elevation of privilege vulnerability, could result in deletion of protected files |
Â
Shimony adds, “The implications of these bugs are often full privilege escalation of the local system. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization.â€
The fact that anti-malware and threat mitigation softwares are plagued by vulnerabilities rated medium to highly severe is tantamount to them acting as a gateway to system resources, so to speak. In such scenarios, vigilance is the price that needs to be paid for safety.
See Also: BlackBerry Rolls Out Free Malware Reverse Engineering Tool
CyberArkOpens a new window reached out to each of the aforementioned vendors with their findings, which have since patched their respective products. The good news is that the detected bugs are easily fixable. Shimony said, “The sheer number of bugs within anti-malware products can be staggering, but many bugs that are found within such products can be easily eliminated.â€Â
He further adds, “We have seen that blocking symlink attacks or blocking the load of malicious DLLs require only a small touchup in the code. Knowing that, AV vendors should be able to eliminate this widespread bug class.â€
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!