Researchers at Germany-based Blue Frost Security discovered a high severity vulnerability in FireEye products that allowed malicious actors to bypass the company’s detection engine and temporarily whitelist malware.
The vulnerability was reported to FireEye in September 2015 and it was patched the next month with the release of FireEye Operating System (FEOS) updates. However, in mid-January, FireEye asked Blue Frost to postpone its initial disclosure date by 30 days because many customers had still not applied the updates.
The flaw is related to FireEye’s Virtual Execution Engine (VXE), a system used by the company’s products to performs dynamic analysis on files. The list of affected products includes FireEye Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX).
When conducting analysis on a Windows machine, the engine copies the targeted binary into a virtual machine with the name “malware.exe.” Before the file is analyzed, a batch script is used to copy the binary to a temporary location and rename it to its original filename.
However, researchers discovered that since the original filename is not sanitized, an attacker can assign the file a different name by tampering with Windows environment variables.
The batch script normally attempts to execute the file in the virtual machine and monitor it for malicious behavior. However, since the filename is invalid, the copying operation fails and the file is no longer executed, which results in the system detecting no malicious activity.
If a file is marked as non-malicious, its MD5 hash is added to a list of binaries that have already been analyzed. Files matching the MD5 hashes added to this whitelist are not analyzed until the next day when the list is cleared.
“This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address,” Blue Frost Security said in its advisory. “Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”
FireEye patched the vulnerability with the release of FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2.
“On September 30th, 2015 FireEye confirmed that Blue Frost Security had discovered an evasion technique impacting some of its products. FireEye takes the security of its products and its customers very seriously and hence updates fixing the evasion were released on October 5th and October 15th,” FireEye told SecurityWeek.
“We have not seen any active exploits of the evasion technique against customers, but highly urge customers to update to the latest FEOS as soon as possible to ensure they are secure. We greatly appreciate the innovative research that the security community brings us in order to protect our customers against advanced threats,” the company added.