Two rounds of reports and patches may not have completely closed this hole
BLACK HAT ASIA Researchers at US/Israeli infosec outfit SafeBreach last Friday discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files. And, they asserted, the hole could remain exploitable – even after both vendors claim to have patched the problem.
Speaking at the Black Hat Asia conference in Singapore, SafeBreach's VP of Security Research Tomer Bar and security researcher Shmuel Cohen explained that Microsoft Defender and Kaspersky's Endpoint Detection and Response (EDR) can be made to detect false positive indicators of malicious files – and then to delete them.
The attack relies on the fact that Microsoft and Kaspersky use byte signatures – unique sequences of bytes in file headers – to detect malware.
"Our goal was to confuse EDR by implanting malware signatures into legit files and make them think its malicious," explained the researchers in their Black Hat presentation.
To achieve this, Bar and Cohen first found a byte signature associated with malware on the platform VirusTotal, then inserted it into a database – by doing things like creating a new user with a name that includes the signature.
The EDR program then deemed the database storing the signature to be infected by malware.
If EDR is set to delete infected files, it will do so. The pair argued that databases or virtual machines could therefore be deleted remotely.
At this point, readers might think this technique is nice in theory, but would require access to files.
The researchers point out such access is easy: registering as a new user on a website, and using a name that contains a byte signature, could see an EDR perceive a database as dangerous. So could using a byte signature in a comment on a video.
Whatever technique is used to get the signature into a file, if EDR deletes it then applications that rely on its presence will fail.
"You have a service that is trying to access the database. The database file is gone, because we inserted the malicious signature. So the service cannot start up," Cohen explained.
The researchers found in their experience that the file deletion by EDR was irreversible from within the security tools – restoring data meant reverting to backups.
The implications of this scenario are unknown, because the researchers were scared of some of the potential outcomes associated with testing vulnerabilities.
"We thought: 'All Azure clouds are run with Microsoft products and Defender exists on Azure'," Cohen mused. "We really thought that we can attack Azure cloud with this attack, but we were really scared to try it because we don't know the implication. We could really destroy a production database all over the world, and this could be irreversible. So we were really scared to try to do it ourselves."
SafeBreach therefore reported its findings to Microsoft in January 2023, and in April of that year CVE-2023-24860 and a patch were issued.
