Security Vulnerabilities Discovered in Popular Antivirus Solutions, Risking System Integrity
Cybersecurity experts have recently uncovered significant security vulnerabilities in widely-used antivirus software, potentially allowing attackers to escalate privileges and solidify malware presence on compromised systems. A report from CyberArk researcher Eran Shimony, shared with The Hacker News, highlights the critical nature of these vulnerabilities, which arise from the high privileges often inherent to anti-malware programs, making them susceptible to exploitation via file manipulation.
Notably affected antivirus solutions include those from major vendors such as Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, all of which have issued patches to address the identified flaws. The vulnerabilities may allow unauthorized users to delete files from arbitrary locations and corrupt existing files, creating severe risks for the underlying system’s integrity.
The root of these issues stems from the default Discretionary Access Control Lists (DACLs) set for the “C:\ProgramData” directory in Windows. This configuration permits applications to store user data without additional permissions, inadvertently increasing the likelihood of privilege escalation. Essentially, any user can write or delete files in this directory, which can be exploited when a non-privileged process creates a new folder that a privileged process later accesses.
In one scenario detailed by CyberArk, an instance was noted where two processes—a privileged one and another executed as a local user—shared the same log file. This situation could allow attackers to exploit the privileged process to remove the log file and create a symbolic link that points to a file containing malicious content.
Further analysis revealed that creating a new folder in “C:\ProgramData” prior to executing a privileged process could lead to elevated permissions via a symlink attack. For example, when the McAfee installer runs after a “McAfee” folder has been created, a standard user might gain full control over that directory, facilitating malicious activities.
In addition to these vulnerabilities, the report also identified a DLL hijacking flaw present in Trend Micro and Fortinet products that could allow an attacker to inject a harmful DLL file into the application directory, thus elevating their privileges. CyberArk emphasizes the importance of more restrictive access control lists to prevent arbitrary deletion vulnerabilities and advocates for updates in installation frameworks to mitigate threats like DLL hijacking.
While vendors have addressed many of these vulnerabilities, the findings serve as a stark reminder that even security-focused software can harbor weaknesses that enable malware infiltration. CyberArk researchers assert that the implications of such vulnerabilities could lead to full privilege escalation, thereby allowing malware to maintain a foothold and potentially inflict greater damage on affected organizations.
This recent discovery highlights the pressing need for businesses to remain vigilant in evaluating their cybersecurity measures, particularly with respect to the security of their antivirus solutions. As these vulnerabilities illustrate, attackers often leverage weaknesses in security software to assert control over systems, emphasizing the importance of constant monitoring and timely updates in safeguarding sensitive data.
In understanding the tactics and techniques likely employed in this attack, relevant aspects from the MITRE ATT&CK framework, such as privilege escalation and persistence tactics, underscore the sophistication with which adversaries may operate. Business owners are advised to exercise caution and implement stringent security protocols to mitigate these risks.