Glass-Half-Empty 0 Posted December 10, 2022 Share Posted December 10, 2022 is eSet antiVirus, which is not specifically mentioned as having been tested or having been found to be invulnerable or having been patched, vulnerable to the "Akido Wiper" which uses a "follow the Junction Points" TOCTOU attack, to allow deletion of arbitrary files by the antiVirus software by an unprivileged user ? SafeBreach Labs Researcher Discovers Multiple Zero-Day Vulnerabilities in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions https://www.safebreach.com/resources/blog/safebreach-labs-researcher-discovers-multiple-zero-day-vulnerabilities/ Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted December 10, 2022 Most Valued Members Share Posted December 10, 2022 10 hours ago, Glass-Half-Empty said: is eSet antiVirus, which is not specifically mentioned as having been tested or having been found to be invulnerable or having been patched, vulnerable to the "Akido Wiper" which uses a "follow the Junction Points" TOCTOU attack, to allow deletion of arbitrary files by the antiVirus software by an unprivileged user ? SafeBreach Labs Researcher Discovers Multiple Zero-Day Vulnerabilities in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions https://www.safebreach.com/resources/blog/safebreach-labs-researcher-discovers-multiple-zero-day-vulnerabilities/ According to SecurityWeek website : Quote Out of 11 security products that were tested, six were found vulnerable to this exploit. The security flaws were reported to the affected vendors and three CVE identifiers were issued: CVE-2022-37971 for Microsoft Defender and Defender for Endpoint, CVE-2022-45797 for Trend Micro Apex One, and CVE-2022-4173 for Avast and AVG Antivirus for Windows. It seems that ESET isn't affected, but for an official answer it is better to wait for an ESET Staff. Link to comment Share on other sites More sharing options...
itman 1,758 Posted December 10, 2022 Share Posted December 10, 2022 (edited) Of note is SafeBreach only tested the following security solutions: The question needs to be addressed to SafeBreach why Eset, Kaspersky, Symantec, etc. were not tested. One possible explanation is they didn't give permission to be tested. Another explanation is they were tested but did not give permission to have the results made public. It is standard lab testing practice not to publicly disclose a vulnerability until the vendor has been notified and given the opportunity to provide a patch for it. Edited December 10, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,758 Posted December 10, 2022 Share Posted December 10, 2022 (edited) FYI - a P.O.C. of this wiper is available at Github: https://github.com/SafeBreach-Labs/aikido_wiper Quote Available on GitHub, the wiper contains exploits for the bugs impacting SentinelOne’s EDR and Microsoft Defender and Defender for Endpoint. For Microsoft’s products, however, only deletion of arbitrary directories is possible. The PoC wiper creates an EICAR file (instead of a real malicious file) that is deleted by the security solution, can delete system files like drivers, and, at system reboot, “fills up the disk to no space with random bytes a few times” to ensure that data is overwritten and wiped. https://www.securityweek.com/vulnerabilities-allow-researcher-turn-security-products-wipers Edited December 10, 2022 by itman Link to comment Share on other sites More sharing options...
Recommended Posts