FOR IMMEDIATE RELEASE
PALO ALTO, Calif., Jan. 24, 2019 /PRNewswire/ — ILLUMANT, a penetration testing and security assessment firm, today announced the discovery of a critical vulnerability in firewall maker Check Point’s anti-virus software (ZoneAlarm). The vulnerability is due to insecure implementation of services developed using Windows Communication Foundation or “WCF.” If exploited, it allows a malicious user with low privilege access to escalate privileges to SYSTEM level (the highest Windows privilege level). Illumant is calling this bug class “OwnDigo,” a twist on the name “Indigo” — the former codename of WCF. The vulnerability is exploitable with the anti-virus software enabled.
WCF and Self-Signed Code in the Spotlight
The vulnerability targets a .NET service in ZoneAlarm that runs as SYSTEM (the highest privilege level in Windows) and utilizes WCF to handle inter-process communications. The application relies on code-signing to validate that code is legitimated and trusted before it is run. However, this measure is inherently flawed, because on Windows it is trivial for a low-privilege user to trust self-signed certificates and bypass these validation checks. As a result, it is possible to create exploit code that communicates with the vulnerable ZoneAlarm service endpoint to run arbitrary code as SYSTEM, resulting in local escalation of privileges and full compromise of the system.
Exploit Targets Software Designed to Protect
ZoneAlarm anti-virus, like other anti-virus software, is designed to protect users and their computers from dangerous malware and breaches. This vulnerability, however, demonstrates the risk that anti-virus software can pose to system security. Anti-virus software must run at the highest privilege level to effectively protect systems against malware. Hence vulnerabilities in this software can be extremely dangerous.
The risks anti-virus products pose has been identified previously. In 2016, Google researcher Tavis Ormandy announced numerous critical vulnerabilities in Symantec’s suite of anti-virus products. This vulnerability demonstrates once again that security software vendors must be diligent about the security of their own products and applications.
“This is a stark reminder to the security software industry,” said ILLUMANT co-founder Matija Siljak. “Security software manufacturers need to pay extra attention to the security of their own software lest their products become the vulnerability that allows for the propagation of cyber-attacks rather than the defense against them.”
Latest Example from a New Class of Vulnerabilities
This ZoneAlarm issue is the latest in a lesser-known class of vulnerability that exposes the WCF attack surface. Illumant has coined the term “OwnDigo” to describe this vulnerability class.
“In this case, we’ve exploited services in ZoneAlarm,” said Chris Anastasio, Senior Security Analyst at ILLUMANT. “But the methodology is applicable to many other programs. WCF is widely used in .NET applications, and initial research indicates that many other implementations are not adequately secured. In fact, other researchers have recently published similar vulnerabilities, and we have identified a few more of our own.”
How to Protect Yourself
ILLUMANT coordinated the timing of this press release with Check Point to ensure that a patch for this vulnerability was already published. ZoneAlarm users should ensure their anti-virus software is up-to-date.
Other software publishers should assess their own applications and implementations of WCF to ensure their software is not vulnerable.
ILLUMANT credits Check Point for being extremely responsive during the vulnerability disclosure process, taking security issues seriously, making bug reporting simple (through a form on their website) and quickly developing a fix for this bug to protect their customers.
Read the full report on this vulnerability and the OwnDigo class of vulnerabilities.
ILLUMANT provides network- and application-level vulnerability research, penetration testing and security assessments, as well as awareness training and security compliance services to companies of all sizes and verticals, including Fortune 500 companies, universities, health care providers, government institutions, startups and many others. Leveraging strategic and tactical risk management and information security expertise, Illumant partners with its clients to help them improve security, limit exposure, and achieve compliance and training objectives. ILLUMANT is a privately held company and headquartered in Palo Alto, California.