Example of Security Product Introducing Vulnerabilities

One of the reasons I blog is to record concrete events so I can more easily reference the exact details in the future. In Black Hat USA 2007 Round Up Part 2 I said:

Modern countermeasures applied to reduce vulnerability and/or exposure in many cases increase both vulnerability and exposure. This is certainly the case with so many agents (see Matasano is Right About Agents.)

Sometimes these vulnerabilities are present in the agent itself, such that the agent can be directly attacked. In other cases (like the one I cite today), the agent appears to re-introduce a vulnerability that the underlying system fixed years ago. From Haxdoors of the Kaspersky Antivirus 6/7:

Kaspesky [sic] and System Service Descriptor Table

Very long time is known that this is the weakest part of this antivirus. The weakest, because it contains number of elementary bugs.

Another example of poorly coded so-called Proactive Defense. On Windows XP Kaspersky AV adds additional services in SSDT table...

And now surprise. Any of this unknown SSDT entries can be EXPLOITED and can crash system into the BSOD even from Guest account with MINIMAL PRIVILEGES. We coded simple program. Its generates invalid system calls with invalid parameters for these unknown SSDT entries. The code is very simple but efficient. Using the same on clean Windows will lead to nothing, because Windows handles such situation in the right manner. (emphasis added)

Please excuse the English; the speaker is Russian. (How is your Russian?)

In other words, normal Windows without Kaspersky is immune. Windows plus Kaspersky (supposedly equalling "defense in depth") is vulnerable.

Please remember this whenever you write (horror) or read a policy that requires anti-virus on all systems, regardless of the cost-benefit equation.

Comments

Joanna Rutkowska said…
I couldn't agree more! The industry should eventually learn not to build security on tricks and hacks!
5:07 PM
Chris Rohlf said…
I disagree (partly). Of course additional software has the possibility to open you up to further vulnerability. However you shouldn't blame policy makers who 'require AV on all hosts' for example. Kaspersky (and most other AV) protect against far many more threats than risks they introduce. If you truly believe the opposite, then lets remove IDS from the network as well because packet dissectors are notorious for introducing vulnerability that wasn't there before.
5:29 PM
Anonymous said…
Richard,

Great point and great example.

-Ryan Heffernan
8:37 PM
Anonymous said…
i couldn't care less, it's just as chris mentioned, you can remove all security products from your network, and "secure it ?!"

and richard, you lock your house or car when you're away at work ? why do that, since the lock can secure your car, or maybe not ?
1:12 AM
Joe said…
@Chris

CISP requires AV agents without allowing compensating controls. You are required to install AV software in order to process CC transactions. That is unreasonable.

@Richard

Take a look at Symantec's AV vulnerabilities for 2007. That's scary. 21 this year. I mention them because I think they are more widely used.
2:12 AM
Anonymous said…
so today (on my day off) i woke up, read a blog and realized its time to walk back to work with a smile on my face.^^
my colleagues will smile too - till they hear the reason for my happyness...
honestly i like my work cause it never gets boring. you expect sth like this every day and (try to) prepare for these thigs -yet you hope its not gonna be you tomorrow.
well today it is me... and it will be my contacts at kav-support :-)
4:53 AM
Anonymous said…
I don't mind the policy (of requiring an av solution) so much. What I hate is when the policy maker enforces a particular brand on me and refuses to listen when I report serious deficiences. I've lost count of the number of infections I've had to clean up because it's so trivially easy for end users to disable McAfee Virus Scan Enterprise.
5:25 AM
Richard Bejtlich said…
Car-locking anonymous,

If using the lock on my car made the doors disappear, I wouldn't lock my car.
6:32 AM
Anonymous said…
Chris, you say you disagree but then point out that, in whatever specific case you're thinking of, anti-virus has more benefits than costs. That is Richard's whole point. Just saying, "We require anti-virus on all systems" is not smart. As long as nobody is reading email or browsing the web from a server, how often will the benefits of anti-virus outweigh the risk?

Every type of system and sometimes even individual systems need to have separate cost-benefit analysis. From your statement, you did make some kind of cost-benefit analysis in your head. What if policy required you to do the opposite of the actions the cost-benefit analysis supported?
6:42 AM
Anonymous said…
Ha ha ha. Such 'vulnerabilities' have already been published, and they show nothing but a desire to make a boo for a successful vendor. I would advise you developing your own security solution that detects proactively about 90% of contemporary malware, without modifying SSDT. It's a good idea to not criticise if you cannot do better.
7:41 AM
Chris Rohlf said…
Allow me to clarify my earlier statement. Richard is very pro-NIDS, and would probably recommend you roll out IDS on your network if you want to detect attacks and monitor your network (correct me if I'm wrong Richard). However packet dissectors (tcpdump, wireshark, snort etc...) have all been the source of many vulnerabilities. And perhaps put you at greater risk then an AV because they process ALL network traffic regardless. So should we remove NIDS as well? And then blame Richard for putting us at greater risk?

And to the poster who said Symantec had 21 vulnerabilities this year alone. Which product? You do know Symantec makes more then one AV product right?

http://secunia.com/product/659/?task=advisories Symantec Corporate AV version 8, 6 vulns this year, two are DOS only. Same goes for v9 and 10, only a couple, and some are just DOS.

It does become a risk vs benefit analysis. In my mind, AV is worth it, but you should never sleep at night simply *because* you run AV. (No, I don't work for an AV vendor).
7:52 AM
Richard Bejtlich said…
ha ha ha anonymous,

I am not trying to criticize Kaspersky specifically. I am critical of policies which dictate anti-virus everywhere, assuming that "more is better" and that there is no cost for adding yet more code in pursuit of "defense in depth." I wrote this post to log a concrete example of how blindly requiring anti-virus or other countermeasures can have unintended consequences.
10:34 AM
Chris Rohlf said…
"I wrote this post to log a concrete example of how blindly requiring anti-virus or other countermeasures can have unintended consequences."

To that point I will agree. But I still think the same goes for NIDS and any other 'security' technology. Specifically singling out just AV isnt very fair.
10:47 AM
Richard Bejtlich said…
Hi Chris,

I see your point. If someone wrote a policy requiring HIPS or HIDS on all hosts I would have similar reservations.

I also do not know of any policies which require network traffic inspection ("IDS", etc.) or collection ("network forensics", etc.).

If a requirement for a passive network inspection or collection product did exist, I would support and encourage it. Why? See my next post for reasons. This comment is getting too long!
10:55 AM
Anonymous said…
its also lame that the "SSDT table" modifications aren't cleaned up if you go and remove Kaspersky AV, you need to run an additional Kaspersky tool to clean it up.
12:11 PM
Anonymous said…
This whole argument is flawed. You're already running anti-virus because of continual flaws and exploits in Windows (and users). It seems perfectly reasonable to require anti-virus on computer that are vulnerable to viruses (ex: Windows PC using web, email, usb). If your computer is locked down by other means, or running something not susceptable to significant viruses, it seems like the policy should take that into account.
12:34 PM
Anonymous said…
nothing in this world is simple. Kav is something that i have run on my machines for many years, with great success. But thats not to say that i only rely on kaspersky. I am a firm believer that every AV product does something a little different to the last and as such will detect things that some of the others might not. Its like any software package you buy, not all packages will be suitable for every user.

I have had friends that have run various AV's in the past and all ended up in trouble one way or another. for example one friends running Norton system works had 98 virus on her system not detected. another running pc-cillin 164 viruses. All detected and corrected by using Kaspersky. But whose to say that these people didnt allow these viruses into their system by misuse of their AV. From where i stand no AV product is the total security answer, and as long as we understand that then we are better off. Whilst I understand this article was intended to highlight issues associated with the installation of AV's and the added risks associated with that, the article has quite blantantly been point at one product only. If you have an issue with a product or a company then maybe you should take it up with them. From a security point of view whilst the article is informative about the use of ssdt, you could have done the same article without mentioning any particular brand or product. From what i can see all you have done is not only pick on a particular product, but have also given information to the very people that AV's try to protect us from. Perhaps next time you will consider the total ramifications, before announcing to the world of crooks and criminals the way to hack or defeat a system.
11:45 PM
Richard Bejtlich said…
Anonymous, you said:

"all you have done is not only pick on a particular product, but have also given information to the very people that AV's try to protect us from. Perhaps next time you will consider the total ramifications, before announcing to the world of crooks and criminals the way to hack or defeat a system."

If you think this blog post amounts to any kind of "announcement" to anyone with malicious intentions, you should stick your head back in the sand, where the world must seem a lot safer.
7:31 AM
Anonymous said…
Sure, it's not only Kaspersky that implements SSDT hooks in improper way:

Matousec BSODhook
6:13 PM
Anonymous said…
This comment has been removed by a blog administrator.
8:33 AM
Anonymous said…
This comment has been removed by a blog administrator.
5:49 AM
Anonymous said…
This comment has been removed by a blog administrator.
6:10 PM
Bonobo said…
This comment has been removed by a blog administrator.
3:48 AM
webmaster said…
This comment has been removed by a blog administrator.
2:52 AM
Anonymous said…
This comment has been removed by a blog administrator.
3:47 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more