Four antivirus providers have released patches for an issue that was initially detailed by a researcher more than 10 years ago.
Reported by Thierry Zoller in 2009, the bug resides in an attacker’s ability to craft compressed archives that, although accessible to a user, cannot be scanned by the antivirus product.
The flaw, Zoller explains, does not refer to a single archive format, but to the user’s ability to alter a compressed archive in such a manner that it becomes inaccessible to the AV software. Multiple types of archive formats can be used, including ISO, ZIP, and Bz2.
The bug has a low impact on the client side, considering that the user can inspect the file after extraction, but severely impacts any email gateways or antivirus infrastructure, given that the archive cannot be automatically decompressed to inspect its content.
Ten years after the initial discovery, Zoller decided to revisit the issue and assess the manner in which AV vendors have addressed it in their products. He also contacted vendors to report the bug.
What he says he has found so far is rather discouraging: not only was the bug ignored, but some of the vendors he recently contacted to submit vulnerability reports did not react positively.
In November 2019, the issue caught additional attention, after it started being abused in campaigns looking to disseminate malware via emails.
According to Zoller, the bug impacts many products from multiple vendors, including Avira, Bitdefender, ESET and Kaspersky, which he contacted in October 2019 to report the flaw and provide proof-of-concept code, so that patches would be released.
“Impact depends on the contextual use of the product and engine within the organization of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ZIP file and it will not raise suspicion even if you know exactly what you are looking for,” he says.
Impacted ESET products span across platforms and include Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (Mac), Cyber Security (Mac), Mobile Security for Android, Smart TV Security, and NOD32 Antivirus 4 for Linux Desktop. The issue was addressed in version 1294 of the archive unpacker module.
Kaspersky has addressed the vulnerability with the release of patch E for four of its products, namely Kaspersky Secure Connection 4.0 (2020), Internet Security 2020, Total Security 2020, and Security Cloud 2020.
“We also have fixed three bugs in one of anti-virus (AV) engine components that is responsible for work with ZIP archives. The fix for this component corrects its behaviour in situation of antivirus scanning specially crafted ZIP archives. These malformed archives could be used to circumvent our antivirus scan process. The bugs affected Kaspersky products with antivirus databases,” Kaspersky said.
While these two vendors were quick to patch the flaws in their products and credit Zoller for reporting them, Avira and Bitdefender were not as responsive, the security researcher says.
Avira, he says (PDF), dismissed his report right from the start. It was only after more than a month of conversation and only after the company’s CTO was contacted that a silent patch was released.
Bitdefender, on the other hand, acknowledged the bug, issued 3 CVEs, and released a patch, but then revised their approach and pulled back the CVEs. However, the vendor silently fixed the issue in December, but credited the researcher for the finding only several weeks later, after being called out for not doing so from the beginning, Zoller says.
“The length you need to go through in 2019 to report vulnerabilities is astounding, it is also astounding to see how bug bounty platforms have the potential to be used to silence reports and/or researchers. Their terms and usages introduce a new element and dynamic in the researcher/vendor relationship,” the researcher concludes.
Related: Vulnerabilities Disclosed in Kaspersky, Trend Micro Products
Related: DLL Hijacking Flaw Impacts Symantec Endpoint Protection