Cybersecurity company, SafeBreach Labs, has called out McAfee and Symantec for a serious oversight in how they handle drivers. According to Peleg Hadar, Security Researcher, SafeBreach Labs, this is a vulnerability that has already been exploited. Both vendors have issued patches to rectify this issue.
The vulnerability is recorded by both vendors as Self-Defense Bypass and Potential Usages. The CVE number for McAfee is CVE-2019-3648 while for Symantec it is CVE-2019-12758. What is concerning is that this is the same issue that Hadar says SafeBreach has identified at other endpoint security vendors including Avast, AVG and Checkpoint. What is not clear is why it took these vendors longer to patch the issue. Both have yet to respond to a request for comment.
How were McAfee and Symantec vulnerable?
There are several things that made both products vulnerable. In brief:
- When the software needed to load a driver, it was looking for a non-existent directory.
- Attacker creates the directory putting a malicious driver into it.
- The AV software finds the driver and loads it without doing any checks such has ‘has the code been signed?’
- The AV software treats the malicious driver as protected code.
- The malicious driver now has system privileges and can execute any arbitrary code it chooses.
- The malware can change the whitelist, disable features of the AV software and download more malware.
- Rebooting the computer just causes the malicious driver to be reloaded.
What is important here is that this is NOT a theoretical attack. Hadar confirmed that it had been seen in the wild and went as far as saying this type of attack had led to ransomware infections. It means that any user who does not apply the patch for the AV software is at risk.
Not just a problem for McAfee and Symantec
This is not just a problem for McAfee and Symantec. SafeBreach has called out several other AV vendors such as Avast, AVG and Checkpoint for the same issue.
Hadar said that one cause of the problem is that the vendors are relying on Microsoft code. It causes the software to look in the wrong directory for the drivers. While some might see this as giving the developer an excuse, it raises questions as to how this was not picked up in testing by the security vendors.
Perhaps a more important issue here is that there is no check to see if the code is signed. This should be part of any secure code approach. It would be easy to say that Microsoft should enforce this. As Hadar says: “It would mitigate a lot of problems that users are exposed to.”
But should the developers be relying solely on Microsoft? The answer is no. Ensuring that only files that have been properly signed are loaded is a relatively simple process. A failure to do so opens the door for an attacker to change files and get users to load apps that automatically call malware.
Enterprise Times: What does this mean?
Organisations are losing the battle against cyber criminals. They are increasingly dependent upon the tools that they install in the end user devices. Those tools are also trusted by the end user and that is what the cyber criminals rely upon. While some attacks such as phishing can be reduced through proper user education, this type of attack cannot.
This is also not just an issue for enterprise computing devices. Endpoint protection is installed on virtually every PC sold. For phones and tablets, it is less common. That does not mean that users update or even buy licences for the devices that they use. Some users will even install pirated versions of AV software. These are versions that have already been hacked by cyber criminals yet users still download and use them.
With Bring Your Own Device (BYOD) continuing to increase, this type of attack and the failure of users to patch their devices, leaves enterprises open to attack. Enterprises IT departments need to be proactive in talking to users and helping them understand the risks.