Author Topic: Several Vulnerabilities Found in Comodo Antivirus  (Read 5420 times)

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1123
Several Vulnerabilities Found in Comodo Antivirus
« on: July 23, 2019, 06:52:40 AM »
https://www.securityweek.com/several-vulnerabilities-found-comodo-antivirus

The article refers to v.12.0.0.6810 so two releases ago. But I haven't read anything about fixing these vulnerabilities on the changelog of v.12.0.0.6818 and v.12.0.0.6870.

Any feedback?

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #1 on: July 23, 2019, 11:30:37 AM »
Nice find.

I'm not too surprised by this one though.

Just from the standpoint of Comodo using file paths instead of file hashes to add to the local white list meant the devs using this type of methodology was always going to be abused.

As far as I can tell (might be wrong), as an initial fix all Comodo needs to do is make sure it always checks the cert for safe files OR creates a local store of file hashes for safe files, and checks with that each time an instance of an assumed safe file is launched.

I'm glad someone actually went ahead and created a working exploit.

Long overdue as as far as I am concerned.

Good work, good find.
« Last Edit: July 23, 2019, 11:33:13 AM by ReeceN »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5127
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #2 on: July 23, 2019, 06:41:28 PM »
Nice find.

I'm not too surprised by this one though.

Just from the standpoint of Comodo using file paths instead of file hashes to add to the local white list meant the devs using this type of methodology was always going to be abused.
Umm no, CIS never used just the file paths, it has always been based on file hash for the local file list.

Quote
As far as I can tell (might be wrong), as an initial fix all Comodo needs to do is make sure it always checks the cert for safe files OR creates a local store of file hashes for safe files, and checks with that each time an instance of an assumed safe file is launched.
CIS already does this for every file that is executed, it determines both the file hash and checks for a digital signed certificate, which it then checks if the vendor is a trusted vendor or not.

The vulnerability is in the way CIS checks the PE file that is attempting to access a COM interface that is provided by cmdagent, to see if it is digitally signed either by Comodo or Microsoft. CIS would do this check using the on disk file path instead of parsing the PE file in memory to check for the digital signature.

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1517
  • GOD cure me epilepsy and atrophy - Sou brasileiro!
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #3 on: July 23, 2019, 08:11:49 PM »
Quote
https://help.comodo.com/topic-72-1-766-11485-Miscellaneous-Settings.html
this protection exists, but if you are a programmer you can get around ...

Example: Process unknown exploit > Safe process >Some system processes are not checked by most suite(s). :-\

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #4 on: July 24, 2019, 09:25:29 AM »
Umm no, CIS never used just the file paths, it has always been based on file hash for the local file list.

By local white list I am referring to the Auto-Containment white-list (ignore) rules.

Comodo does not use a file hash when white-listing an individual file from containment via the Auto-Containment settings (including the Auto-Containment popup when launching an unknown executable file).

Quote
CIS would do this check using the on disk file path instead of parsing the PE file in memory to check for the digital signature.

That is what I said, they are using a file path to check the file.

As I say, I am not surprised that this type of methodology of only using file paths in certain scenarios to check files has resulted in an exploit like this elsewhere within the software.
« Last Edit: July 24, 2019, 09:30:42 AM by ReeceN »

Offline R2C2

  • Comodo Family Member
  • ***
  • Posts: 95
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #5 on: July 24, 2019, 01:43:56 PM »
UPDATE. Comodo has provided SecurityWeek the following statement:

    There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29

Offline megaherz33

  • Comodo's Hero
  • *****
  • Posts: 1890
  • Long Live COMODO!
    • Comodo Group
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #6 on: July 24, 2019, 05:21:56 PM »


Windows 10 Pro x64 Build 21376.1 (21H2)
CIS Premium v.12.2.2.8012
MX Linux 19.4 Xfce

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5127
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #7 on: July 24, 2019, 05:29:11 PM »
By local white list I am referring to the Auto-Containment white-list (ignore) rules.

Comodo does not use a file hash when white-listing an individual file from containment via the Auto-Containment settings (including the Auto-Containment popup when launching an unknown executable file).

That is what I said, they are using a file path to check the file.

As I say, I am not surprised that this type of methodology of only using file paths in certain scenarios to check files has resulted in an exploit like this elsewhere within the software.
By default no but you can create an auto-containment rule based on file hash.


COModo: From Sandbox to SYSTEM (CVE-2019–3969)

https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67
I split your post and added it to this topic.

Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 86
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #8 on: July 24, 2019, 06:18:01 PM »
We don't need to be worry.

This supposed vulnerability it can be partially true:
    COModo: From Sandbox to SYSTEM (CVE-2019–3969)
   
But the POC is a fake!!!
If you do a precisely observation on the POC-video there is a little trick that in a real scenery (and Comodo well configured) it cannot work if the malware run fully sandboxed!

BTW:I have read the technical article and is very good... Congratulations to the author! :-TU

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1517
  • GOD cure me epilepsy and atrophy - Sou brasileiro!
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #9 on: July 24, 2019, 09:01:56 PM »
Some things make the video a little dubious, for example:
what settings were tested?
we can't see the auto-containment or sandbox settings, so ...

Note: But it is possible to bypass some suites if using system applications.
CIS auto protected, CCAV protect yourself a little better
Quote
https://help.comodo.com/topic-72-1-766-9168-Sandbox-Configuration.html

Attention: beware of folders and files added in the options "do not virtualize..." (this could endanger your photos, videos, documents...)
« Last Edit: July 24, 2019, 09:09:12 PM by liosant »


Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 599
  • Paranoid B#st#rd - CIA
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #11 on: July 25, 2019, 08:46:26 AM »
Good to see the devs swoop into action.

Quote from: https://www.securityweek.com/several-vulnerabilities-found-comodo-antivirus
There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26525
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #12 on: July 25, 2019, 02:18:46 PM »
The release on Monday July 29 will be a hotfix only for reported vulnerabilities, there will be no fix for the additional bugs.

Offline tg912

  • Newbie
  • *
  • Posts: 12
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #13 on: July 29, 2019, 09:03:28 PM »
I haven't received an update yet.

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 457
Re: Several Vulnerabilities Found in Comodo Antivirus
« Reply #14 on: July 29, 2019, 09:55:30 PM »
No hotfix released as committed yet.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek