Multiple Vulnerabilities in EDRs and Anti-Virus Software Exploited To Turn Them into Data Wipers

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows OS Web Servers Systems Networks
Advisory ID:
ngCERT-2022-0102
Version:
N/A
CVE:
CVE-2022-37971; CVE-2022-45797; CVE-2022-4173
Published:
December 19, 2022

Summary


SafeBreach researchers discovered a number of zero-day vulnerabilities in various Endpoint Detection and Response (EDR) and Anti-virus solutions. These flaws can be exploited to turn millions of such solutions in use around the world into data wipers capable of deleting any file on a device and causing it to fail to boot. This wiper runs as an unprivileged user but has the ability to wipe almost any file on a system, including system files, and render a computer unbootable. It does all that without implementing code that touches the target files, making it fully undetectable.

Description & Consequence


Since anti-virus software scans a device or, in the case of EDR solutions, continuously scans a device for suspect or malicious files with the intent of quarantining or deleting them, this exploit deceives the vulnerable solutions into deleting non-malicious files by using customized paths via what is known as a junction point.

A junction point is a type of re-parse point that contains a link to a directory that serves as an alias for that directory. So, during the brief period in which an EDR or anti-virus detects a malicious file and attempts to delete it, the threat actor can use a junction point to redirect the solution to a path (directory) of their choice.

So to completely wipe a directory, the threat actor can use a software such as the Aikido wiper to trigger privileged delete by planting a malicious file at the trick directory and not granting it any permission, thereby making the EDRs or anti-virus to postpone deletion until the next restart. The actor can then delete the directory containing the planted malicious file and use the junction point to target the directory they wish to delete and then restart the system to effect the wipe out the target directory.

The affected solutions are:

  1. Microsoft Defender
  2. Microsoft Defender for Endpoint
  3. SentinelOne EDR
  4. TrendMicro Apex One
  5. Avast Antivirus
  6. AVG Antivirus

Data stored on affected devices, including critical system files, can be deleted in such a way that it may not be recoverable, even with data recovery applications.

Solution


If you are using any of the aforementioned anti-virus or EDR solutions, please update immediately, as updates have been released to patch the vulnerabilities.

Reference


Revision


Related Articles