From the low-hanging-fruit-department
AVIRA Generic Malformed Container bypass (ISO Container)
________________________________________________________________________
Release mode : Coordinated disclosure / Vendor does not
disclose
CVE : CVE-2020-9320
Ref : [TZO-19-2020] - AVIRA Generic AV Bypass (ISO Container)
Vendor : AVIRA
Status : PATCHED - Engine version 8.3.54.138.
CVE : none provided,
Blog :
https://blog.zoller.lu/p/from-low-hanging-fruit-department-avira.html
Vulnerability Dislosure Policy:
https://caravelahq.com/b/policy/20949
Affected Products
=================
AV Engine below 8.3.54.138
All Avira products :
- Avira Antivirus Server
- Avira Antivirus for Endpoint
- Avira Antivirus for Small Business
- Avira Exchange Security (Gateway)
- Avira Internet Security Suite for Windows
- Avira Prime
- Avira Free Security Suite for Windows
- Cross Platform Anti-malware SDK
Attention:
Avira does not patch or update their very popular command line
scanner
that is still available for download on their website. Since Avira
does
not release and advisory their customers are none the wiser.
Avira licenses it's engine to many OEM Partners. The OEM
Partners that
use the Avira Engine may be vulnerable or not. I would advise that
you
reach out to the vendors listed below to know whether you are
affected
or not. OEM Partners
can reach out to me to retreive the POC in order to test.
AVIRA OEM Partners:
- F-Secure
- Sophos
- Barracude
- Alibaba Cloud Security
- Check Point
- CUJO AI
- TP-Link
- FujiSoft
- AWS
- Rohde and Schwarz
- Careerbuilder
- Huawei
- Dracoon
- Total Availability
- FixMeStick
- APPVISORY
- Tabidus
- Cyren
Source :
https://oem.avira.com/en/partnership/our-partners
I. Background
----------------------------
Quote: "We protect people—like you—across all devices, both
directly and
via our OEM partnerships.We provide a wide variety of
best-in-class
solutions to enhance your protection, performance,
and online privacy—ranging from antivirus to VPN and cleanup
technologies.
A server security should get special attention, as a single
employee
might store a malicious file on the network and instantly cause
a
cascading damage across the entire organization.
With Avira's solutions for server security you can prevent such
scenarios by protecting your network, data, and web traffic. "
Avira has the Trust Seal or the
http://www.teletrust.de/itsmig/
II. Description
----------------------------
The parsing engine supports the ISO container format. The parsing
engine
can be bypassed by specifically manipulating the ISO Archive
This leads to the Endpoint ignoring the container and the Gateways
to
let this file slip through uninspected.
III. Impact
----------------------------
It bypasses Avira perimeter defenses and sheduled AV scans.
Impacts depends on the contextual use of the product and engine
within
the organisation
of a customer. Gateway Products (Email, HTTP Proxy etc) may allow
the
file through unscanned
and give it a clean bill of health. Server side AV software will
not be
able to discover
any code or sample contained within this ISO file and it will not
raise
suspicion even
if you know exactly what you are looking for (Which is for example
great
to hide your implants
or Exfiltration/Pivot Server).
There is a lot more to be said about this bug class, so rather
than bore
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html
IV. Patch / Advisory
----------------------------
PATCHED - Engine version 8.3.54.138.
V. Disclosure timeline
----------------------------
How Avira handled these reports in 2009 :
https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html
28 NOV 2019
Submitted the Vulnerabiltiy Details
04 DEC 2019
AVIRA releases a patch but doesn't inform the public and/or
customers.
Read more https://packetstormsecurity.com/files/156472/TZO-19-2020.txt
