Bitdefender patches vulnerability in Free Antivirus 2020
Last week it was Trend Micro under the spotlight, this week it’s Bitdefender’s turn, as the company had to patch a flaw in its Antivirus Free 2020 product.
The flaw was discovered by SafeBreach, who disclosed the vulnerability to Bitdefender in July 2019. It enabled malicious code injection by malware or an attacker, and could result in a total system takeover.
Users of Bitdefender’s free AV are advised to install the update to version 18.104.22.168, which was released yesterday. Other Bitdefender AV solutions are not affected.
According to SafeBreach researcher Peleg Hadar, the vulnerability gives bad actors “the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows”, which would enable them to access practically every file and process on the machine.
This flaw enables DLL hijacking, a clever way for threat actors to execute malicious code on a user's machine. Dynamic link library (DLL) is a file format used for holding multiple codes and procedures for Windows programs. These files were created so that many programs could use their information at the same time, conserving memory and avoiding duplication.
To commit DLL hijacking, attackers usually create fake DLLs so that a program pulls code from that repository instead of the genuine article, and infects the process.
According to Hadar, SafeBreach’s initial exploration of the software targeted two Bitdefender services, “Bitdefender Security Service” (vsserv.exe), and “Bitdefender Updater Service” (updatesrv.exe).
“Firstly they run NT AUTHORITY\SYSTEM, which is the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is extremely useful for attackers. In addition, the executable of the service is signed by Bitdefender and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.”
Moreover, this service automatically starts once the computer boots, which means that it’s a potential target for a cyber criminal to be used as a persistence mechanism.
Finally, Hadar says Bitdefender's AV software, including the free version, is supposed to employ Code Integrity Guard (CIG), which enables only digitally signed software to run. “In this case, CIG was not being enforced, allowing unsigned code loading.”