CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Flaw Allowed Attackers to Bypass FireEye Detection Engine

Researchers at Germany-based Blue Frost Security discovered a high severity vulnerability in FireEye products that allowed malicious actors to bypass the company’s detection engine and temporarily whitelist malware.

Researchers at Germany-based Blue Frost Security discovered a high severity vulnerability in FireEye products that allowed malicious actors to bypass the company’s detection engine and temporarily whitelist malware.

The vulnerability was reported to FireEye in September 2015 and it was patched the next month with the release of FireEye Operating System (FEOS) updates. However, in mid-January, FireEye asked Blue Frost to postpone its initial disclosure date by 30 days because many customers had still not applied the updates.

The flaw is related to FireEye’s Virtual Execution Engine (VXE), a system used by the company’s products to performs dynamic analysis on files. The list of affected products includes FireEye Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX).

When conducting analysis on a Windows machine, the engine copies the targeted binary into a virtual machine with the name “malware.exe.” Before the file is analyzed, a batch script is used to copy the binary to a temporary location and rename it to its original filename.

However, researchers discovered that since the original filename is not sanitized, an attacker can assign the file a different name by tampering with Windows environment variables.

The batch script normally attempts to execute the file in the virtual machine and monitor it for malicious behavior. However, since the filename is invalid, the copying operation fails and the file is no longer executed, which results in the system detecting no malicious activity.

If a file is marked as non-malicious, its MD5 hash is added to a list of binaries that have already been analyzed. Files matching the MD5 hashes added to this whitelist are not analyzed until the next day when the list is cleared.

“This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address,” Blue Frost Security said in its advisory. “Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”

Advertisement. Scroll to continue reading.

FireEye patched the vulnerability with the release of FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2.

“On September 30th, 2015 FireEye confirmed that Blue Frost Security had discovered an evasion technique impacting some of its products. FireEye takes the security of its products and its customers very seriously and hence updates fixing the evasion were released on October 5th and October 15th,” FireEye told SecurityWeek

“We have not seen any active exploits of the evasion technique against customers, but highly urge customers to update to the latest FEOS as soon as possible to ensure they are secure. We greatly appreciate the innovative research that the security community brings us in order to protect our customers against advanced threats,” the company added.

Related: FireEye Patches Critical Flaw Found by Google Researchers

Related: Critical Flaw in FireEye Appliances Exploitable by Sending an Email

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.