CyberArk Labs specialists published a report, according to which the high privileges of antivirus software make it more vulnerable. As a result, security solutions can be used for file manipulation attacks, and malware can gain elevated rights on the system.
Errors of this kind have been found in products from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender. Currently, all the problems have already been fixed by the developers, and the identifiers assigned to them can be seen below (Avast and F-Secure solutions are still awaiting CVE assignment).
|Kaspersky Security Center||CVE-2020-25043, CVE-2020-25044, CVE-2020-25045|
|McAfee Endpoint Security and McAfee Total Protection||CVE-2020-7250, CVE-2020-7310|
|Symantec Norton Power Eraser||CVE-2019-1954|
|Check Point ZoneAlarm and Check Point Endpoint Security||CVE-2019-8452|
|Trend Micro HouseCall for Home Networks||CVE-2019-19688, CVE-2019-19689 and three more problems, so far without CVE IDs|
The researchers say that the main drawback found in antiviruses is the ability to delete files from arbitrary locations, which allows an attacker to erase any file on the system. There is also a similar file corruption vulnerability that allows you to delete the contents of any file on the system.
According to the report, problems mainly arise from the default DACLs (Discretionary Access Control Lists) for the C: ProgramData folder on Windows, which is used by applications to store user data without additional permissions. Since every user has write and delete rights at the base directory level, there is an increased likelihood of abuse of privilege escalation when an unprivileged process creates a new folder in ProgramData that the privileged process can later access.
It has been observed that when two different processes (one privileged and the other running as an authenticated local user) share the same log file, an attacker can use the privileged process to delete the file and create a symbolic link that points to an arbitrary file with malicious content.
CyberArk Labs analysts also examined the possibility of creating a new folder in C: ProgramData before executing the privileged process. Specifically, they found that the McAfee antivirus installation process starts after the McAfee folder is created, at which time a standard user has full control over the directory, can gain elevated privileges, and execute a symlink attack.
In addition, the researchers report that Trend Micro products, Fortinet, and so on may have been used to place a malicious DLL file in the application directory and then escalate privileges.