News

In free Bitdefender antivirus fixed vulnerability, which led to escalation of privileges

SafeBreach specialists discovered a vulnerability in the free antivirus Bitdefender Antivirus Free 2020 (up to version 1.0.15.138 that fixes the problem).

The bug received the identifier CVE-2019-15295 and scored 5.9 points on the CVSS vulnerability rating scale. The vulnerability could be used by attackers to elevate privileges to the SYSTEM level.

The problem is related to the lack of proper verification of downloadable binaries: it is not checked whether they are signed and downloaded from a trusted location.

“NT AUTHORITY\SYSTEM – the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very useful and powerful to an attacker. The executable of the service is signed by BitDefender and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion”, — write SafeBreach specialists.

The vulnerability is directly associated with the ServiceInstance.dll library, which is downloaded by the BitDefender update service (updatesrv.exe) and the BitDefender security service (vsserv.exe), which are signed by Bitdefender and operate with SYSTEM privileges. In turn, ServiceInstance.dll loads the RestartWatchDog.dll library.

Since RestartWatchDog.dll is not loading safely, the antivirus application does not guarantee that the downloaded library file has been signed. This allows an attacker who has access to a system running Bitdefender Antivirus Free 2020 to install a malicious version of the library that will work instead of the legitimate one.

To ensure success of the attack, user or process with administrator privileges must first change the PATH to include the folder in which the attacker wants to inject the malicious DLL. You will also need to set the appropriate permissions for this directory so that a user without administrator rights can write files to it.

“Despite the fact it’s an antivirus, these services are running as non-PPL, which means that CIG (Code Integrity Guard) is not enforced, so unsigned code loading is possible into these processes”, — report researchers.

SafeBreach researchers note that they recently revealed a very similar vulnerability in Trend Micro’s password manager. It also allowed insecure loading of the DLL and allowed the attacker to increase privileges in the system.

Currently, Bitdefender specialists have already fixed the problem by releasing an updated version of their antivirus.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Adblockelite.xyz Pop-up Ads

About Adblockelite.xyz Adblockelite.xyz pop-ups can not open out of nowhere. If you have clicked some…

14 mins ago

Remove Appcloud-center.com Pop-up Ads

About Appcloud-center.com Appcloud-center.com pop-ups can not open out of nowhere. If you have actually clicked…

14 mins ago

Remove Groopheetex.com Pop-up Ads

About Groopheetex.com Groopheetex.com pop-ups can not expose out of nowhere. If you have clicked on…

15 mins ago

Remove Vidstreambox.com Pop-up Ads

About Vidstreambox.com Vidstreambox.com pop-ups can not expose out of the blue. If you have actually…

16 mins ago

Remove Mac-uptodate.com Pop-up Ads

About Mac-uptodate.com Mac-uptodate.com pop-ups can not introduce out of the blue. If you have actually…

18 mins ago

Remove Taffetlervers.com Pop-up Ads

About Taffetlervers.com Taffetlervers.com pop-ups can not expose out of the blue. If you have clicked…

19 mins ago