Considerable time and money are invested into looking for dangerous vulnerabilities in the most commonly used elements of IT infrastructure. Popular operating systems, networks, utilities and security tools constitute attractive targets for malicious hackers.
Here are some lessons we should learn from cybersecurity research in 2019.
Just because it’s security software it doesn’t mean it’s safe
One would expect security software to contain some of the most secure code on the planet. During 2019, however, a SafeBreach research team discovered major vulnerabilities in widely used security products that were written and tested by reputable cybersecurity companies.
|Product||What can happen||Underlying flaws|
|Trend Micro Maximum Security 2019 and 2020||DLL Search-Order Hijacking Signed Execution Whitelisting Bypass||Uncontrolled search path, no digital certificate validation against the binary.|
|Trend Micro Password Manager||Signed Execution Whitelisting Bypass Persistence Privilege Escalation||Uncontrolled search path, no digital certificate validation against the binary.|
|Kaspersky Internet Security (KIS)||Whitelisting Bypass Defense Evasion||Uncontrolled search path, no digital certificate validation|
|Comodo Internet Security||DLL Preloading||No digital certificate validation, AV has no self-protection on its folders|
|McAfee – All Editions||Defense Evasion Signed Execution Whitelisting Bypass||No digital signature validation|
|Avira Antivirus 2019||Defense Evasion Signed Execution Whitelisting Bypass||No digital certificate validation, no self-protection for the Launcher folder.|
|Avast Antivirus and AVG Antivirus||Defense Evasion Self-Defense Bypass||Root cause was found within one of Microsoft’s DLLs, code integrity is not enforced in the AM-PPL process|
|Check Point Endpoint Security Initial Client||Signed Execution Whitelisting Bypass Persistence Privilege Escalation||Lack of safe DLL loading due to an uncontrolled search path, no digital certificate validation against the binary|
|BitDefender Antivirus Free 2020||Signed Execution Whitelisting Bypass Persistence Privilege Escalation||Lack of safe DLL loading due to an uncontrolled search path, no digital certificate validation against the binary|
|Symantec Endpoint Protection||Defense Evasion, Signed Execution Whitelisting Bypass||No digital signature validation, Defense Evasion, Signed Execution, Whitelisting Bypass|
In every case, the vulnerability – a repeating combination of two flaws – enabled DLL Search-Order Hijacking and some kind of defense evasion. All the security products – which number between 12 and 30, depending how one counts separate editions – contained a vulnerability that allowed an attacker to load malicious code in a DLL file into critical Windows services, without being required to sign the code using a digital signature. Making matters worse, the code would be running with the highest privileges on the user’s computer.
Supply chain risks are a massive problem
The research team also found a surprising number of common exploit paths across a wide variety of systems and widely used software. As an example, the Dynamic-Link Library (DLL) search paths in the Windows Operating System (PC and server) turned up as a security flaw in multiple leading products. The table above shows security products, but other types of products from at least six global vendors contained the same vulnerability.
DLL search paths are an architectural artifact that allow an unwise level of access and flexibility to attackers. Because DLL paths linking to applications do not require signed certificates by default in order to load the software (unless specified explicitly by the developer), there are massive risks. Attackers can load and execute malicious payloads using what appears to be a signed service. Through this mechanism they can escalate privileges, even to the point where their code can read and exfiltrate contents of physical memory, or bypass antivirus software (defense evasion).
Identifying risks of potential UEPs should be a collective goal of the security community in 2020. Another UEP found in a widely used open source program, called Open Hardware Monitor, leads to the next point.
Open source abandonware is a growing risk
Open Hardware Monitor is a free open source software program that monitors temperature sensors, fan speeds, voltages, load and clock speeds of a computer. Tens of millions of computers use Open Hardware Monitor in their monitoring systems, including HP Touchpoint Analytics. When examining the GitHub repo, many unacknowledged issues were detected. It also appeared that the software itself had not been updated in a year or more. This is a concern because the code runs on so many endpoints and enjoys very high access privileges.
Another example: Heartbleed – a security bug in the OpenSSL cryptography library – exposed nearly all encrypted Internet traffic to a real security risk.
OpenSSL is a cryptography library widely used by internet servers to encrypt activities of users and to encrypt traffic to and from websites. When the existence of the Heartbleed vulnerability was revealed, we’ve all become uncomfortably aware that the security of such a critical element of the global online infrastructure depends on two guys named Steve who looked after it on a part-time basis.
Your security response mileage may vary
Researchers and white hat hackers report vulnerabilities to companies large and small. Unsurprisingly, there is great variability in how the vendors respond when they are alerted that there might be a bug in their product code.
Some vendors respond within minutes and have a patch ready for testing within 24 hours. Others do not respond for weeks. Also, some technology providers make it very easy to find the right people by publicly posting security policies and providing dedicated security emails. These companies tend to be the most responsive and build patches the most quickly.
Other companies lack public security policies and contacts, making it very difficult to reach and alert them. It’s very counterproductive when a Good Samaritan must try DMing to a vendor’s public Twitter handle to learn who to notify of a high-risk security gap. Technology providers that operate on a large scale, selling software or hardware that runs on software, should have a highly visible public security policy and clearly identified communications channels for reporting problems.
For 2020, tackle the big threats, but cover the basics
With 2019 now in the rearview mirror, more exploitation of the vulnerabilities described here is expected in 2020. Security changes come slowly, and even crises like NotPetya have not resulted in universally good patching hygiene, so more exploitation of the vulnerabilities described here can be expected in 2020.
Many in the security field have crossed paths with the kinds of problems mentioned above. Fixing or making major headway against these really big challenges will be critical to creating a more cyber secure 2020 and beyond.