Researchers from SafeBreach Labs security discovered a vulnerability that could give attackers the ability to bypass defenses and escalate privileges through loading a malicious DLL file used by Anti-Virus products, including AVG, Avaira and Avast Antivirus. The flaw, which makes use of DLL search order hijacking, is being tracked as CVE-2019-17093. Using this vulnerability, attackers could run processes as NT AUTHORITYSYSTEM, the highest level of privilege on a local computer. Gaining the ability to run programs as SYSTEM is an important goal of many threat actors groups because it gives the threat actors access to steal passwords out of memory and perform many stealthy attacks that are difficult for defenders to detect. “The vulnerability allows attackers to use multiple signed services to load and execute malicious payloads in the scope of AVG / Avast processes. This capacity may be exploited by an attacker for various purposes such as execution and avoidance, for example: the whitelisting bypass program,” said the SafeBreach Labs researchers. Persistent loading and execution could also be carried out by the attackers, meaning when the DLL is injected, every restart will trigger the loading of the malicious code. Avast was made aware of the issue affecting Avast Antivirus and AVG Antivirus versions under 19.8 back in August of 2019 and a patch was released on September 26th, 2019. Avira Antivirus was found to have a similar problem, researchers were able to insert a DLL (ServiceHost.exe) of their own in Avira which allowed them to execute code. They were made aware of this issue on July 22nd, 2019 and apparently mitigated the issue on September 18th, 2019. Mitre issued CVE-2019-17449 on October 10th, 2019 for the bug. However, Avira stated that the vulnerability would not be of use to hackers and they claim they will contest the CVE. Avira emailed a statement to SecurityWeek that said, “The scenario shows that a default OS and brand setting would allow the malicious DLL file to be installed by Administrator privileges. If you have administrative rights already, you would not obtain any new privileges or just change Avira binary or Windows to bypass all signature checks. So, there is no escalation of privilege. Avira does not believe that the problem can be listed as CVE, so the CVE was already contested at MITRE.”
Analyst Notes
Since Avast versions 19.8 and below are affected, users are recommended to update their Avast, Avaira and AVG Antivirus products to the most updated version. Endpoint detection and response solutions that are capable of detecting attacker lateral movement, password dumping from memory and other adversary behaviors are an important part of a good defense-in-depth strategy. Binary Defense’s EDR software, Vision, has adversary deception and detection capabilities that cover these scenarios and many others, providing advanced alerting and response capabilities to defenders.
