Jump to content

Is eSet antiVirus vulnerable to "Akido Wiper" "follow Junction Points" TOCTOU attacks ?


Recommended Posts

is eSet  antiVirus, which is not specifically mentioned as having been tested  or having been found to be invulnerable or having been patched, vulnerable to the "Akido Wiper" which uses a "follow the Junction Points" TOCTOU attack,  to allow deletion of arbitrary files by the antiVirus software by an unprivileged user ?

 

SafeBreach Labs Researcher Discovers Multiple Zero-Day Vulnerabilities in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions

https://www.safebreach.com/resources/blog/safebreach-labs-researcher-discovers-multiple-zero-day-vulnerabilities/

Link to comment
Share on other sites

  • Most Valued Members
10 hours ago, Glass-Half-Empty said:

is eSet  antiVirus, which is not specifically mentioned as having been tested  or having been found to be invulnerable or having been patched, vulnerable to the "Akido Wiper" which uses a "follow the Junction Points" TOCTOU attack,  to allow deletion of arbitrary files by the antiVirus software by an unprivileged user ?

 

SafeBreach Labs Researcher Discovers Multiple Zero-Day Vulnerabilities in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions

https://www.safebreach.com/resources/blog/safebreach-labs-researcher-discovers-multiple-zero-day-vulnerabilities/

According to SecurityWeek website :

Quote

Out of 11 security products that were tested, six were found vulnerable to this exploit. The security flaws were reported to the affected vendors and three CVE identifiers were issued: CVE-2022-37971 for Microsoft Defender and Defender for Endpoint, CVE-2022-45797 for Trend Micro Apex One, and CVE-2022-4173 for Avast and AVG Antivirus for Windows.

It seems that ESET isn't affected, but for an official answer it is better to wait for an ESET Staff.

Link to comment
Share on other sites

Of note is SafeBreach only tested the following security solutions:

Eset_Adiko.png.3de50a6e2226b288254179c138bd0c41.png

The question needs to be addressed to SafeBreach why Eset, Kaspersky, Symantec, etc. were not tested. One possible explanation is they didn't give permission to be tested. Another explanation is they were tested but did not give permission to have the results made public. It is standard lab testing practice not to publicly disclose a vulnerability until the vendor has been notified and given the opportunity to provide a patch for it.

Edited by itman
Link to comment
Share on other sites

FYI - a P.O.C. of this wiper is available at Github: https://github.com/SafeBreach-Labs/aikido_wiper

Quote

Available on GitHub, the wiper contains exploits for the bugs impacting SentinelOne’s EDR and Microsoft Defender and Defender for Endpoint. For Microsoft’s products, however, only deletion of arbitrary directories is possible.

The PoC wiper creates an EICAR file (instead of a real malicious file) that is deleted by the security solution, can delete system files like drivers, and, at system reboot, “fills up the disk to no space with random bytes a few times” to ensure that data is overwritten and wiped.

https://www.securityweek.com/vulnerabilities-allow-researcher-turn-security-products-wipers

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...