Vulnerabilities in antimalware products are significantly threatening since these programs usually run with high privileges, often at the admin level. Hence, any bugs here, especially the privilege escalation found by CyberArk, could give elevated access to an adversary.
Briefly, the researchers observed that in most cases, the issues existed because of the default DACLs of the C:\ProgramData directory. This director, on Windows, is accessible by all users, unlike the %LocalAppData% that specifies to the logged-in user only.
It means any user can read/write files in ProgramData and will have full control of the data present here. Thus, any process created by a non-privileged user that a privileged user executes later will give rise to security issues.
Such exploitation could allow for symlink attacks, whilst deleting arbitrary files and point to malicious files.
Also, they found DLL hijacking flaw affecting some antivirus programs.
Technical details about these vulnerabilities are available in the researchers’ post. Whereas, following is the list of all programs that had the vulnerabilities, with the respective CVEs.
Consequently, they have confirmed that all vendors have patched the flaws in their respective antivirus programs.
Besides, they have also shared some easy solutions for all to address such bugs in the future.
Let us know your thoughts in the comments.
