Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Comodo Antivirus Multiple Vulnerabilities

Medium

Synopsis

Multiple vulnerabilities were discovered in Comodo Antivirus / Comodo Antivirus Advanced. The following vulnerabilities were verified to be present in version 12.0.0.6810 of Comodo Antivirus, except CVE-2019-3973, which only affects versions up to 11.0.0.6582.

CVE-2019-3969: Local Privilege Escalation (CmdAgent.exe)

CmdAgent.exe verifies COM clients requesting interfaces from Cmdagent.exe are signed binaries. An attacker can bypass this signing check however by changing the client's process name within it's PEB (Process Environment Block), or process hollowing a Comodo/Microsoft signed processes with malicious code. This is because CmdAgent's signature check uses the filename from EnumProcessModules / GetModuleFilename for the COM Client's PID. Once passing trusted binary check, an attacker can obtain an Instance of IServiceProvider. With IServiceProvider, the attacker can then query for an interface to SvcRegKey and perform registry writes through the Out-Of-Proc COM server as "NT AUTHORTIY\SYSTEM", allowing local privilege escalation. 

CVE-2019-3970: Arbitrary File Write (Modification of AV Signatures)

Comodo keeps it's virus definition database in a protected folder on disk, however Cavwp.exe loads the signatures as Global Section Objects with no ACLs, allowing any low privileged process to modify them in memory. Modifying this section object essentially modifies the AV definitions interpreted by Cavwp.exe, allowing an attacker to create false positives (arbitrary file quarantine) or simply bypassing AV signatures through deleting/modifying database data.

CVE-2019-3971: Denial of Service (CmdVirth.exe)

This denial of service occurs due to CmdVirth.exe's LPC port named "cmdvrtLPCServerPort". A low privileged process can connect to this port and send an LPC_DATAGRAM, which triggers an Access Violation due to hardcoded NULLs used for a memcpy source address. This results in CmdVirth.exe and it's child svchost instances to terminate.

CVE-2019-3972: Out-of-bounds Read (CmdAgent.exe)

CmdAgent.exe reads from a Section Object named "Global\{2DD3D2AA-C441-4953-ADA1-5B72F58233C4}_CisSharedMemBuff". This is writable by the "Everyone" Window's group. The contents of the memory is a Comodo SharedMemoryDictionary structure, which is attempted to be keyed into and values be read. Modifying this structure data can crash CmdAgent.exe by causing an Out-of-bounds read.

CVE-2019-3973: Out-of-Bounds Write (Cmdguard.sys)

Cmdguard.sys exposes a filter port named "\cmdServicePort". Normally this is only connectable by CmdVirth.exe and has MAX_CONNECTION of 1. A low-privileged process however, can crash CmdVirth.exe to decrease the port's connection count and process hollow a CmdVirth.exe copy with malicious code to obtain a port handle. Once this occurs, a specially crafted message can be sent to cmdServicePort using "filtersendmessage" API, which triggers an out-of-bounds write if lpOutBuffer parameter is near the end of buffer bounds. The ProbeForWrite check is bypassed by supplying a small dwOutBufferSize (within lpOutBuffer bounds). The driver then performs a memset operation which sets 0x734 bytes at this supplied address which is beyond supplied lpOutBuffer bounds, causing kernel crash.

Solution

At the time of this disclosure, we are not aware of any patches released by Comodo that address these vulnerabilities. We recommend to keep updated on future Comodo Antivirus releases.

Proof of Concept

https://github.com/tenable/poc/tree/master/Comodo

Disclosure Timeline

04/17/19 - Tenable discloses to Comodo.
04/29/19 - Tenable follows up, asking if vulnerabilities have been confirmed.
05/07/19 - Comodo confirms some vulnerabilities, waiting to confirm others.
05/20/19 - Tenabe requests status update.
06/04/19 - Tenabe requests status update.
06/04/19 - Comodo provides status update. No planned release date at this time.
06/04/19 - Tenable asks for confirmation of vulnerabilities.
06/07/19 - Comodo explains LPE vulnerability is partially due to Microsoft's fault.
06/10/19 - Tenable asks what Microsoft's fault is in this scenario.
06/19/19 - Tenable notifies Comodo that we plan to release CVEs for disclosed issues.
07/08/19 - Tenable asks when Comodo expects fixes for disclosed issues.
08/06/19 - Comodo provides Comodo version 12.0.0.6882 which is said to fix vulnerabilities.
08/07/19 - Tenable confirms LPE via Contained process has been fixed in 12.0.0.6882, but LPE vulnerability still exists for non-Contained processes.
08/07/19 - Comodo says they will check this with the team.
08/09/19 - Comodo says they couldnt reproduce the issue.
08/10/19 - Tenable explains PoC needed slight modification, due to cavshell.dll offsets changing in version 12.0.0.6882.
08/12/19 - Comodo says they will investigate issue.
08/12/19 - Comodo asks if Tenable sees this as part of existing vulnerability or a new vulnerability.
08/12/19 - Tenable says this is part of existing vulnerability - CVE-2019–3969

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2019-34
Credit:
David Wells
CVSSv2 Base / Temporal Score:
6.8 / 1.7 / 4.6 / 4.6 / 4.6
CVSSv2 Vector:
AV:L/AC:L/Au:S/C:C/I:C/A:C
AV:L/AC:L/Au:S/C:N/I:P/A:N
AV:L/AC:L/Au:S/C:N/I:N/A:C
AV:L/AC:L/Au:S/C:N/I:N/A:C
AV:L/AC:L/Au:S/C:N/I:N/A:C
Risk Factor:
Medium

Advisory Timeline

7/16/19 - Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training