Several Vulnerabilities Found in Comodo Antivirus

[Jon79]

https://www.securityweek.com/several-vulnerabilities-found-comodo-antivirus

The article refers to v.12.0.0.6810 so two releases ago. But I haven't read anything about fixing these vulnerabilities on the changelog of v.12.0.0.6818 and v.12.0.0.6870.

Any feedback?

[ReeceN]

Nice find.

I'm not too surprised by this one though.

Just from the standpoint of Comodo using file paths instead of file hashes to add to the local white list meant the devs using this type of methodology was always going to be abused.

As far as I can tell (might be wrong), as an initial fix all Comodo needs to do is make sure it always checks the cert for safe files OR creates a local store of file hashes for safe files, and checks with that each time an instance of an assumed safe file is launched.

I'm glad someone actually went ahead and created a working exploit.

Long overdue as as far as I am concerned.

Good work, good find.

[futuretech]

Nice find.

I'm not too surprised by this one though.

Just from the standpoint of Comodo using file paths instead of file hashes to add to the local white list meant the devs using this type of methodology was always going to be abused.

Umm no, CIS never used just the file paths, it has always been based on file hash for the local file list.

As far as I can tell (might be wrong), as an initial fix all Comodo needs to do is make sure it always checks the cert for safe files OR creates a local store of file hashes for safe files, and checks with that each time an instance of an assumed safe file is launched.

CIS already does this for every file that is executed, it determines both the file hash and checks for a digital signed certificate, which it then checks if the vendor is a trusted vendor or not.

The vulnerability is in the way CIS checks the PE file that is attempting to access a COM interface that is provided by cmdagent, to see if it is digitally signed either by Comodo or Microsoft. CIS would do this check using the on disk file path instead of parsing the PE file in memory to check for the digital signature.

[liosant]

https://help.comodo.com/topic-72-1-766-11485-Miscellaneous-Settings.html

this protection exists, but if you are a programmer you can get around ...

Example: Process unknown exploit > Safe process >Some system processes are not checked by most suite(s).

[ReeceN]

Umm no, CIS never used just the file paths, it has always been based on file hash for the local file list.

By local white list I am referring to the Auto-Containment white-list (ignore) rules.

Comodo does not use a file hash when white-listing an individual file from containment via the Auto-Containment settings (including the Auto-Containment popup when launching an unknown executable file).

CIS would do this check using the on disk file path instead of parsing the PE file in memory to check for the digital signature.

That is what I said, they are using a file path to check the file.

As I say, I am not surprised that this type of methodology of only using file paths in certain scenarios to check files has resulted in an exploit like this elsewhere within the software.

[R2C2]

UPDATE. Comodo has provided SecurityWeek the following statement:

    There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29

[megaherz33]

COModo: From Sandbox to SYSTEM (CVE-2019–3969)

https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67

[futuretech]

By local white list I am referring to the Auto-Containment white-list (ignore) rules.

Comodo does not use a file hash when white-listing an individual file from containment via the Auto-Containment settings (including the Auto-Containment popup when launching an unknown executable file).

That is what I said, they are using a file path to check the file.

As I say, I am not surprised that this type of methodology of only using file paths in certain scenarios to check files has resulted in an exploit like this elsewhere within the software.

By default no but you can create an auto-containment rule based on file hash.

COModo: From Sandbox to SYSTEM (CVE-2019–3969)

https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67

I split your post and added it to this topic.

[Nilhar]

We don't need to be worry.

This supposed vulnerability it can be partially true:
    COModo: From Sandbox to SYSTEM (CVE-2019–3969)
   
But the POC is a fake!!!
If you do a precisely observation on the POC-video there is a little trick that in a real scenery (and Comodo well configured) it cannot work if the malware run fully sandboxed!

BTW:I have read the technical article and is very good... Congratulations to the author!

[liosant]

Some things make the video a little dubious, for example:
what settings were tested?
we can't see the auto-containment or sandbox settings, so ...

Note: But it is possible to bypass some suites if using system applications.
CIS auto protected, CCAV protect yourself a little better

https://help.comodo.com/topic-72-1-766-9168-Sandbox-Configuration.html

Attention: beware of folders and files added in the options "do not virtualize..." (this could endanger your photos, videos, documents...)

[R2C2]

https://www.zdnet.com/article/comodo-antivirus-subject-to-serious-unpatched-vulnerabilities/

[ReeceN]

Good to see the devs swoop into action.

There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29.

[EricJH]

The release on Monday July 29 will be a hotfix only for reported vulnerabilities, there will be no fix for the additional bugs.

[tg912]

I haven't received an update yet.

[Redstraw]

No hotfix released as committed yet.