Assigned Critical vulnerability in Zemana 2.0 products and not only

This thread is being handled by a member of the staff.

military

Level 4
Thread author
Verified
Well-known
Aug 13, 2012
186
  1. My english is bad. 1.2 Article in russian, and the link goes through an online translator.
  2. At the end of the article there is a response from the developer. But my goal is to create this topic - I want a more detailed explanation from the developer. I do not really believe in the complexity of solving the problem due to the large number of rebranding partners.
  3. I like the ZA and I will continue to use it. But true only with 3 beta versions.


Article from Google Translate:
It is no secret to anyone that installing an anti-virus product could open up additional attack vectors, but I was very surprised that the search and exploitation of similar vulnerabilities in some products even in 2018 is not a problem.

3avop2ymcnmsrbb2pd3q4_hq5ic.png

Woops
The discovered vulnerability is contained in the procedure for updating the antivirus product. Update configuration files are transmitted over the usual http connection and can be read by a person (which is not a vulnerability). The responses from the company's servers have found links to update files that the antivirus executes when a new version is detected.

rjoaadv6l3o3lqb0ksxohy6ffty.png

Update url

Very surprising is the fact that even a simple substitution of the URL file on the third-party led to a strangewarning antivirus.

g6cpnkgt1at2wkjxtwepucjcsx0.png

Do you want to execute any file with system rights?

If the user, without noticing the trick, agreed, then the antivirus downloaded the third-party file on the computer and performed it with the SYSTEM privileges. And it could be not necessarily a user with administrator privileges.
However, navryatli who in their right mind would agree to install such an "update". Let's look at the possibility of bypassing this notification. All update files are digitally signed and must be verified before execution. Let's look at the “ZmnAppUpdater” function and see an interesting section of the place where the “SignatureChecker” function is called in the ZAM.exe file

1wd_wanykybzj-kuewh0kvhrac0.png

Missed check

This function should verify the digital signature of the exe file and return the verification result code. However, in the “ZmnAppUpdater” function, the authors forgot to do this (the result is EAX = 0x80096010 (TRUST_E_BAD_DIGEST)). Thus, it is possible to execute arbitrary code on a remote system with SYSTEM rights without user interaction just by running the man in the middle attack. We clone the Security directory of the original update file into a fake update file and do not care that the digital signature cannot be verified by the operating system. The Anti-Virus only checks for whose name the certificate is issued, but not its integrity.

Vulnerability with identifier CVE-2019-6440 has been fixed since versions 3.x (beta).

I will note one more interesting moment . It has been about a year since the transfer of information about the vulnerability to its actual correction (starting with versions 3x). Vulnerability is present in all products of the company, however , it was decided to postpone the release of the emergency patch until the release of the new major version. Representatives of the company said that the vulnerability is quite difficult to detect, in the development of a new major version and the company does not plan to release patches, as it has more than 20 rebranding partners. Of course, vulnerability is present in all products of partner companies . Moreover, the company, aware of the presence of a vulnerability, continues to actively promote versions with vulnerable code so far.
It would seem that a company engaged in information security should have released updates as soon as possible, however this is not the case and the safety of clients is not very worried about it.

Link: Google Переводчик
Original: Критическая уязвимость в продуктах компании Zemana и не только
 

boombastik

Level 2
Verified
Dec 17, 2018
98
I am a simple user but with my little knowledge the problem is that the version 2 created by another team and i think that they preferred to not alter it but to create a version 3 from scratch because i think that they don't know all the details from 2.
Second The above vulnerability works but as i can understand it, the attacker can attack only one machine at a time.

More details:
-https://nvd.nist.gov/vuln/detail/CVE-2019-6440

Also if the re brands want to stay secure as i understand it they must buy the version 3 from zemana.
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
And there is this about its cloud vulnerability, or potential:

Edit: I can't speak to all the implications of this, but I would hold off on the fork :LOL: , and give them a chance to bring the whole product line back to its former glory. Thieir will seems to be there, from recent developments, so I'll wait to make an overall judgement.
 
Last edited:

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
I don't use... and I don't plan to use Zemana -- I'm not a fanboy at all.

And.... This is probably no big deal at all.

Many top tier products have had repeated discoveries of vulnerabilities. This is very common.

Security software design and programming is a tricky business.

How they react and fix (or not) and how many additional issues are discovered are the things to watch.

This is just a bump in the road on their comeback.

Hopefully.
 

notabot

Level 15
Verified
Oct 31, 2018
703
I don't use... and I don't plan to use Zemana -- I'm not a fanboy at all.

And.... This is probably no big deal at all.

Many top tier products have had repeated discoveries of vulnerabilities. This is very common.

Security software design and programming is a tricky business.

How they react and fix (or not) and how many additional issues are discovered are the things to watch.

This is just a bump in the road on their comeback.

Hopefully.

Indeed but asking if it’s worth expanding the attack surface with security software that operates in kernel land. If it has needed features not available with native mechanisms or it’s user space software or simply provides a convenient configuration the answer can be a yay - but then scrutinizing the vendor for frequency of updates, responsiveness, bug bounty programs etc makes sense
 

military

Level 4
Thread author
Verified
Well-known
Aug 13, 2012
186
Update Logic Mishandle in Zemana AntiMalware 2.0: Fixed

Yes, it is true we that there was a critical vulnerability discovered in ZAM 2.0 update integrity check. Some of you probably read about it in one of the threads on Malware Tips or other websites.
However, keep in mind that this vulnerability is not and never was present in our Zemana AntiMalware 3.0 Beta version.
In this blog post, we want to share with you the resolution to this concern. Yesterday, we fixed the issue and released a new update of ZAM 2.0, where we successfully fixed the update logic mishandle.
In the text below, you can find more information.
Update Integrity Check Vulnerability
A remote code execution vulnerability has been discovered related to update file integrity check. This vulnerability, caused by mishandling update logic, resulted in Zemana AntiMalware version 2.74.2.150 providing a weaker security than expected.
It allowed man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable. Due to this flaw, a remote attacker (only on the same network) could launch further attacks on the system by bypassing applications update file integrity check and executing any file with system rights.
This vulnerability has been assigned the CVE identifier CVE-2019-6440
ZAM 2.0 New Update
Some of you are probably still concerned or wondering if the vulnerability still exists, but we assure you there is no need to worry because we successfully fixed it.
In order to resolve the issue and improve our product, we released a new update of Zemana AntiMalware 2.0, which includes fixes for this vulnerability.
You can download it here.
What About ZAM 3.0?
As mentioned above, there never was an update logic mishandle or any critical vulnerabilities in our latest Zemana AntiMalware 3.0 Beta version. You can check out our release notes here and see what’s new in ZAM 3.0.
If you have any questions or concerns related to this vulnerability or anything else, know that you can always contact us at: support@zemana.com. Our team members will be happy to talk to you and help you out.



Perfectly. Thanks for the fix...
 

boombastik

Level 2
Verified
Dec 17, 2018
98
This version have the same bug like the last beta for version 2 that never released.
It makes a quick scan at system startup even if i have scheduled scan disabled..
 
  • Like
Reactions: oldschool

boombastik

Level 2
Verified
Dec 17, 2018
98
Install 2.74.2.664 version restart your machine and after 15 second open the zemana anti malware. You will see that it makes a quick scan even thought the scan schedule is disabled.
Can anyone see this in his/her pc?
 
  • Like
Reactions: oldschool

Miss Onnellisuus

From Zemana
Verified
Developer
Dec 12, 2018
60
@ZAM3_PO take a look at this. I installed in a second machine and it makes the same.

Hello @boombastik thank you for the feedback, we are checking this and we will let you know when we have more information about it. For now you can disable this behavior by activating scheduled scan and setting date and time to a period when you are not using your PC.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top