Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Flaw Allowed Attackers to Bypass FireEye Detection Engine

Researchers at Germany-based Blue Frost Security discovered a high severity vulnerability in FireEye products that allowed malicious actors to bypass the company’s detection engine and temporarily whitelist malware.

Researchers at Germany-based Blue Frost Security discovered a high severity vulnerability in FireEye products that allowed malicious actors to bypass the company’s detection engine and temporarily whitelist malware.

The vulnerability was reported to FireEye in September 2015 and it was patched the next month with the release of FireEye Operating System (FEOS) updates. However, in mid-January, FireEye asked Blue Frost to postpone its initial disclosure date by 30 days because many customers had still not applied the updates.

The flaw is related to FireEye’s Virtual Execution Engine (VXE), a system used by the company’s products to performs dynamic analysis on files. The list of affected products includes FireEye Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX).

When conducting analysis on a Windows machine, the engine copies the targeted binary into a virtual machine with the name “malware.exe.” Before the file is analyzed, a batch script is used to copy the binary to a temporary location and rename it to its original filename.

However, researchers discovered that since the original filename is not sanitized, an attacker can assign the file a different name by tampering with Windows environment variables.

The batch script normally attempts to execute the file in the virtual machine and monitor it for malicious behavior. However, since the filename is invalid, the copying operation fails and the file is no longer executed, which results in the system detecting no malicious activity.

If a file is marked as non-malicious, its MD5 hash is added to a list of binaries that have already been analyzed. Files matching the MD5 hashes added to this whitelist are not analyzed until the next day when the list is cleared.

Advertisement. Scroll to continue reading.

“This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address,” Blue Frost Security said in its advisory. “Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”

FireEye patched the vulnerability with the release of FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2.

“On September 30th, 2015 FireEye confirmed that Blue Frost Security had discovered an evasion technique impacting some of its products. FireEye takes the security of its products and its customers very seriously and hence updates fixing the evasion were released on October 5th and October 15th,” FireEye told SecurityWeek

“We have not seen any active exploits of the evasion technique against customers, but highly urge customers to update to the latest FEOS as soon as possible to ensure they are secure. We greatly appreciate the innovative research that the security community brings us in order to protect our customers against advanced threats,” the company added.

Related: FireEye Patches Critical Flaw Found by Google Researchers

Related: Critical Flaw in FireEye Appliances Exploitable by Sending an Email

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.