SafeBreach Labs is delivering a three-strike blow, with a simultaneous revelation of severe vulnerabilities that concern three popular and widely-used security solutions. The first is Trend Micro Security 16, the second is Kaspersky Secure Connection, and the third is Autodesk Desktop Application. The flaws that underpin all of these products lead to privilege escalation and persistence through the loading of an arbitrary unsigned DLL into a service that runs as NT Authority/System. This is exactly the same type of flaw that we saw in Symantec Endpoint Security, three McAfee security products, HP Touchpoint Analytics, BitDefender Antivirus Free 2020, and the Trend Micro Password Manager.
The SafeBreach team has written the corresponding “proof of concept” codes to demonstrate how they can compile their own replacement DLL file and set it to load instead of the legitimate missing one. This leads to privilege escalation through code execution at the highest authority level, as none of the three products follow any kind of DLL validation procedure. Thus, the root cause is common, and it’s the lack of digital certificate validation. The persistence is also common, as any malicious payloads can be executed every time the system is started since these security products are usually set to auto-launch.
The discovered vulnerabilities were reported to the concerned software vendors in July, and all three confirmed them within a few weeks. Trend Micro has released a security advisory since November 25 issuing CVE-2019-15628, Autodesk published an advisory a day later with the identifier CVE-2019-7365, and Kaspersky provided regular status updates and issued the CVE-2019-15689 identifier. For now, only Trend Micro patched the problem already, after publishing version 16.0.1227. Anything from 16.0.1221 and below is vulnerable, so you should upgrade immediately. As for Kaspersky Secure Connection, all versions below 4.0 (2020) are susceptible to attacks.
This is the same type of flaw that we’ve seen and analyzed again and again during these last couple of months, and the three final disclosures are tying the end of a long circle. This case serves as a reminder that even security products can introduce new and severe risks to our computers because they need to run at higher user privileges. Hopefully, this will be the last post covering unsigned DLLs loading instead of the real ones, and that security software vendors have learned their lesson on digital certificate validation.
Do you have anything to comment on the above? Let us know of your thoughts in the section down below, or leave your comments on our socials, on Facebook and Twitter.