Flaws in Kaspersky FireEye products
On September 5, 2015 Tavis Ormandy, a security researcher and Google employee, in a controversial fashion, tweeted that he’d found a major zero-interaction flaw in the Kaspersky Antivirus, according to International Business Times (IBTimes). He posted this publicly, vice going to Kaspersky first, a practice highly frowned upon by others in the cyber security community, including Graham Cluley and others. Despite this, Kaspersky is already reporting to have this nearly remediated across the board, less than 24 hours later, per PC World. Ormandy’s tweet is below:
With regards to the flaw in Kaspersky, it is only known to be in the Antivirus software at this time. Per Computer Weekly, “‘We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future,’ Kaspersky Lab said in a statement. ‘For instance, we already use such technologies as Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP),’ the company said.”
As of about 10 AM 7 September 2015, PC World is reporting that Kaspersky has pushed an emergency patch.
In a scenario similar to that of Kaspersky, several zero-day flaws were found in FireEye’s (a Next Generation Firewall provider, owned by Mandiant) PHP coding that can inadvertently disclose sensitive information. Per CSO Online, “As proof, he also posted a brief example of how to trigger the vulnerability and a copy of the /etc/passwd file. What’s more, he claims to have three other vulnerabilities, and says they’re for sale. Based on the published information on Exploit-DB and Pastebin, the basic setup of the compromised appliance is exactly what you’d expect it to be; the box has Apache, pushing PHP, running as root. The other listed services are also expected on a forward facing Web-appliance, including SSH and FTP. However, the disclosed flaw looks to be centered in a PHP script on the FireEye appliance itself.” Kristian Erik Hermansen tweeted the following:
Foremost, according to Graham Cluley, it appears as if the exploits for FireEye are already for sale, which is not a good sign. It is unclear as to what FireEye appliances are impacted at this time. It is a safe assumption that all are impacted until a more formal statement is released.
Here is FireEye’s statement to SaltedHash (published by CSO Online) “FireEye has sent a brief statement to SaltedHash.
‘This morning, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase.
We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure. FireEye has a documented policy for researchers to responsibly disclose and inform us of potential security issues.
We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.’
Based on this statement and the fact that Hermansen has been trying to get FireEye and Mandiant to acknowledge this for 18 months, it seems as if sales are of more concern than security of the organizations after the sale. In a world where everything is becoming “Next Generation;” like FireEye and Fortinet’s “Next Generation Firewalls” and SentinelOne’s EPP “Next Generation Endpoint Protection,” this could cause a serious disturbance in the sales of FIreEye products and lead to new leadership in “Next Generation Firewalls” such as Fortinet, Palo Alto, or a company that is yet to be seen. From a corporate security professional’s perspective, I have always held FireEye in high regards, now I am starting to rethink this.
With regards to Kaspersky, I have typically preferred other antivirus solutions over them. They have been an exceptional cybersecurity research laboratory. The fact that they have already responded to the issues in under 24 hours on a weekend, says a lot for the character of the company. While this is a black eye for them, like literal black eyes, this one will heal as well.
What could have been done differently?
In a nutshell, more stringent code reviews and QA testing to be blunt. There is no reason why either Kaspersky or FireEye’s issues should have been exploited “in the wild,” or after production, sales, and deployment. It is good that someone found the issues, even though one blind sided Kaspersky and the other was ignored. I have to agree with Graham Cluley on this one. It could be worse, a more malicious Black Hat could’ve found them and kept quiet about them, causing more significant damages than that to the reputations of Kaspersky and FireEye.
First off, thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.