SafeBreach catches 3 major vulnerabilities with Trend Micro, Autodesk and Kaspersky

The issues have been patched or solved but researchers say they represent a worrying step in how attackers can manipulate trusted security systems.

How hackers use low-tech tactics to target business

SafeBreach Labs discovered three vulnerabilities impacting Trend Micro Maximum Security software, Autodesk Desktop Application software and Kaspersky Secure Connection, a VPN client that is attached to Kaspersky Internet Security.

The vulnerabilities have been patched or solved by the companies but SafeBreach's lead researcher, Peleg Hadar, said they represented a worrying step forward in how attackers can manipulate trusted security systems. Each one was discovered in July or August and SafeBreach worked with the companies to resolve the bugs.

"All of them are similar, but the TrendMicro one and the AutoDesk one are a bit more critical because in some situations, you don't need an administrator in order to trigger the vulnerability," Hadar said. 

"The one that is the most critical among the three is the Trend Micro because it allows you to run malicious code within the process of the anti-virus itself, so you can basically bypass anything and you can just do malicious things and the anti-virus won't detect it."

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)

Trend Micro Maximum Security is designed to protect devices against threats like ransomware, viruses, malware, spyware and more. But Hadar's research found that parts of the software could be manipulated and exploited because it runs as NT AUTHORITY\SYSTEM, the most privileged kind of user account. 

With this, attackers can perform defense evasion, persistence and in some cases privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.

Hackers can execute malicious code through this because the executable of the service is signed by Trend Micro, meaning it can evade detection because it is being used as an application whitelisting bypass.

"I don't think these have been exploited. I know that recently, a very similar vulnerability got exploited. This class of vulnerability needs to be mitigated," Hadar said. 

This flaw was found in Trend Micro Security 16.0.1221 and every version before that. A patched version has been released and Trend Micro released a security advisory on Nov. 25

In the advisory, officials say the vulnerability hasn't been exploited but "could allow an attacker to use a specific service as an execution and/or persistence mechanism which could execute a malicious program each time the service is started."

The flaw with Autodesk Desktop Application software similarly involves malicious usage of NT AUTHORITY\SYSTEM. According to Hadar, the Autodesk desktop app is installed with Microsoft Windows-based Autodesk products from 2017 and later. The software is in charge of managing product updates, new releases and security patches to subscribers.

It doesn't appear that Autodesk has released a security advisory but officials told SafeBreach on Nov. 15 that they would send out an advisory by Nov. 26.

Hadar found the same vulnerability with Kaspersky Secure Connection, and the company released a patch on Nov. 21, and sent out an advisory on Dec. 2.

"The most important fact about these ones is that these can allow an attacker to do stuff on behalf of the company that's within the software," Hadar said. "This is the most important thing. When an attacker gets access to one of these vulnerabilities, it allows them to operate under the software shell."  

"If I'm an attacker, and I'm using the vulnerability of Kaspersky, once I'm doing it other softwares think that I'm Kaspersky, so I can just masquerade my malicious activity because the processes are signed," he added. 

Also see

Data Security system Shield Protection Verification

Image: Getty Images/iStockphoto