Tuesday, September 11, 2007

Example of Security Product Introducing Vulnerabilities

One of the reasons I blog is to record concrete events so I can more easily reference the exact details in the future. In Black Hat USA 2007 Round Up Part 2 I said:

Modern countermeasures applied to reduce vulnerability and/or exposure in many cases increase both vulnerability and exposure. This is certainly the case with so many agents (see Matasano is Right About Agents.)

Sometimes these vulnerabilities are present in the agent itself, such that the agent can be directly attacked. In other cases (like the one I cite today), the agent appears to re-introduce a vulnerability that the underlying system fixed years ago. From Haxdoors of the Kaspersky Antivirus 6/7:

Kaspesky [sic] and System Service Descriptor Table

Very long time is known that this is the weakest part of this antivirus. The weakest, because it contains number of elementary bugs.

Another example of poorly coded so-called Proactive Defense. On Windows XP Kaspersky AV adds additional services in SSDT table...

And now surprise. Any of this unknown SSDT entries can be EXPLOITED and can crash system into the BSOD even from Guest account with MINIMAL PRIVILEGES. We coded simple program. Its generates invalid system calls with invalid parameters for these unknown SSDT entries. The code is very simple but efficient. Using the same on clean Windows will lead to nothing, because Windows handles such situation in the right manner.
(emphasis added)

Please excuse the English; the speaker is Russian. (How is your Russian?)

In other words, normal Windows without Kaspersky is immune. Windows plus Kaspersky (supposedly equalling "defense in depth") is vulnerable.

Please remember this whenever you write (horror) or read a policy that requires anti-virus on all systems, regardless of the cost-benefit equation.

25 comments:

joanna said...

I couldn't agree more! The industry should eventually learn not to build security on tricks and hacks!

Chris Rohlf said...

I disagree (partly). Of course additional software has the possibility to open you up to further vulnerability. However you shouldn't blame policy makers who 'require AV on all hosts' for example. Kaspersky (and most other AV) protect against far many more threats than risks they introduce. If you truly believe the opposite, then lets remove IDS from the network as well because packet dissectors are notorious for introducing vulnerability that wasn't there before.

Anonymous said...

Richard,

Great point and great example.

-Ryan Heffernan

Anonymous said...

i couldn't care less, it's just as chris mentioned, you can remove all security products from your network, and "secure it ?!"

and richard, you lock your house or car when you're away at work ? why do that, since the lock can secure your car, or maybe not ?

Joe said...

@Chris

CISP requires AV agents without allowing compensating controls. You are required to install AV software in order to process CC transactions. That is unreasonable.

@Richard

Take a look at Symantec's AV vulnerabilities for 2007. That's scary. 21 this year. I mention them because I think they are more widely used.

Anonymous said...

so today (on my day off) i woke up, read a blog and realized its time to walk back to work with a smile on my face.^^
my colleagues will smile too - till they hear the reason for my happyness...
honestly i like my work cause it never gets boring. you expect sth like this every day and (try to) prepare for these thigs -yet you hope its not gonna be you tomorrow.
well today it is me... and it will be my contacts at kav-support :-)

Anonymous said...

I don't mind the policy (of requiring an av solution) so much. What I hate is when the policy maker enforces a particular brand on me and refuses to listen when I report serious deficiences. I've lost count of the number of infections I've had to clean up because it's so trivially easy for end users to disable McAfee Virus Scan Enterprise.

Richard Bejtlich said...

Car-locking anonymous,

If using the lock on my car made the doors disappear, I wouldn't lock my car.

Anonymous said...

Chris, you say you disagree but then point out that, in whatever specific case you're thinking of, anti-virus has more benefits than costs. That is Richard's whole point. Just saying, "We require anti-virus on all systems" is not smart. As long as nobody is reading email or browsing the web from a server, how often will the benefits of anti-virus outweigh the risk?

Every type of system and sometimes even individual systems need to have separate cost-benefit analysis. From your statement, you did make some kind of cost-benefit analysis in your head. What if policy required you to do the opposite of the actions the cost-benefit analysis supported?

Anonymous said...

Ha ha ha. Such 'vulnerabilities' have already been published, and they show nothing but a desire to make a boo for a successful vendor. I would advise you developing your own security solution that detects proactively about 90% of contemporary malware, without modifying SSDT. It's a good idea to not criticise if you cannot do better.

Chris Rohlf said...

Allow me to clarify my earlier statement. Richard is very pro-NIDS, and would probably recommend you roll out IDS on your network if you want to detect attacks and monitor your network (correct me if I'm wrong Richard). However packet dissectors (tcpdump, wireshark, snort etc...) have all been the source of many vulnerabilities. And perhaps put you at greater risk then an AV because they process ALL network traffic regardless. So should we remove NIDS as well? And then blame Richard for putting us at greater risk?

And to the poster who said Symantec had 21 vulnerabilities this year alone. Which product? You do know Symantec makes more then one AV product right?

http://secunia.com/product/659/?task=advisories Symantec Corporate AV version 8, 6 vulns this year, two are DOS only. Same goes for v9 and 10, only a couple, and some are just DOS.

It does become a risk vs benefit analysis. In my mind, AV is worth it, but you should never sleep at night simply *because* you run AV. (No, I don't work for an AV vendor).

Richard Bejtlich said...

ha ha ha anonymous,

I am not trying to criticize Kaspersky specifically. I am critical of policies which dictate anti-virus everywhere, assuming that "more is better" and that there is no cost for adding yet more code in pursuit of "defense in depth." I wrote this post to log a concrete example of how blindly requiring anti-virus or other countermeasures can have unintended consequences.

Chris Rohlf said...

"I wrote this post to log a concrete example of how blindly requiring anti-virus or other countermeasures can have unintended consequences."

To that point I will agree. But I still think the same goes for NIDS and any other 'security' technology. Specifically singling out just AV isnt very fair.

Richard Bejtlich said...

Hi Chris,

I see your point. If someone wrote a policy requiring HIPS or HIDS on all hosts I would have similar reservations.

I also do not know of any policies which require network traffic inspection ("IDS", etc.) or collection ("network forensics", etc.).

If a requirement for a passive network inspection or collection product did exist, I would support and encourage it. Why? See my next post for reasons. This comment is getting too long!

Anonymous said...

its also lame that the "SSDT table" modifications aren't cleaned up if you go and remove Kaspersky AV, you need to run an additional Kaspersky tool to clean it up.

Anonymous said...

This whole argument is flawed. You're already running anti-virus because of continual flaws and exploits in Windows (and users). It seems perfectly reasonable to require anti-virus on computer that are vulnerable to viruses (ex: Windows PC using web, email, usb). If your computer is locked down by other means, or running something not susceptable to significant viruses, it seems like the policy should take that into account.

Anonymous said...

nothing in this world is simple. Kav is something that i have run on my machines for many years, with great success. But thats not to say that i only rely on kaspersky. I am a firm believer that every AV product does something a little different to the last and as such will detect things that some of the others might not. Its like any software package you buy, not all packages will be suitable for every user.

I have had friends that have run various AV's in the past and all ended up in trouble one way or another. for example one friends running Norton system works had 98 virus on her system not detected. another running pc-cillin 164 viruses. All detected and corrected by using Kaspersky. But whose to say that these people didnt allow these viruses into their system by misuse of their AV. From where i stand no AV product is the total security answer, and as long as we understand that then we are better off. Whilst I understand this article was intended to highlight issues associated with the installation of AV's and the added risks associated with that, the article has quite blantantly been point at one product only. If you have an issue with a product or a company then maybe you should take it up with them. From a security point of view whilst the article is informative about the use of ssdt, you could have done the same article without mentioning any particular brand or product. From what i can see all you have done is not only pick on a particular product, but have also given information to the very people that AV's try to protect us from. Perhaps next time you will consider the total ramifications, before announcing to the world of crooks and criminals the way to hack or defeat a system.

Richard Bejtlich said...

Anonymous, you said:

"all you have done is not only pick on a particular product, but have also given information to the very people that AV's try to protect us from. Perhaps next time you will consider the total ramifications, before announcing to the world of crooks and criminals the way to hack or defeat a system."

If you think this blog post amounts to any kind of "announcement" to anyone with malicious intentions, you should stick your head back in the sand, where the world must seem a lot safer.

/nul said...

Sure, it's not only Kaspersky that implements SSDT hooks in improper way:

Matousec BSODhook

art said...
This comment has been removed by a blog administrator.
truck tires said...
This comment has been removed by a blog administrator.
black mold said...
This comment has been removed by a blog administrator.
Bonobo said...
This comment has been removed by a blog administrator.
Shobhit said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.