Security scientists from CyberARK discovered security bugs with anti-malware software application that allows attackers to intensify privileges on a contaminated device.
Bugs with anti-malware pose high dangers than other applications, as it has high opportunities that let opponents run malware at raised opportunities.
Cause for the Flaw
” he ramifications of these bugs are frequently complete privilege escalation of the local system. Due to the high privilege level of security items, an error in them could help malware to sustain its foothold and trigger more damage to the organization.”
This procedure is not connected to a particular user, any user has read/write permissions on ProgramData rather of the %LocalAppData%, which is available by the current logged in user.
An assailant could exploit the privileged process to erase the file and develop a symlink that would point to any approximate file on the target system with harmful content.
According to researchers, the main cause of the bug is with the default DACLs of the C: ProgramData directory. On Windows utilized by the application to store information.
Likewise, the researchers examined McAfee antivirus which creates the “McAfee” folder, under the basic user control, but the regional user might gain raised permissions through a symlink attack.
” So, if a non-privileged process produced a directory in ProgramData that would be later on used by a fortunate procedure, we might have a security concern on our hands,” reads the post.
Scientist analyzed Aviras AV which has 2 processes non-privileged & & fortunate procedure hat compose to the same log file.
Following are the vulnerabilities found
Kaspersky CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
McAfee CVE-2020-7250, CVE-2020-7310
Trend Micro CVE-2019-19688, CVE-2019-19689 +3
Avast + F-Secure– Waiting for Mitre
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
GitHub Launches Code Scanning Tool to Find Security Vulnerabilities– Available for All Users
Beware of the New Critical Zerologon Vulnerability in The Windows Server