________________________________________________________________________

                 From the low-hanging-fruit-department
  AVIRA Generic Malformed Container bypass (ZIP GPFLAG)
________________________________________________________________________

Release mode    : No Patch - Coordinated otherwise
Ref             : [TZO-13-2020] - AVIRA Generic AV Bypass (ZIP GPFLAG)
Vendor          : AVIRA
Status          : Not Patched
CVE             : none provided,
Blog            : 
https://blog.zoller.lu/p/tzo-13-2020-avira-generic-av-bypass-zip.html
Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949

Affected Products
=================
AV Engine below 8.3.54.138

All Avira products :
- Avira Antivirus Server
- Avira Antivirus for Endpoint
- Avira Antivirus for Small Business
- Avira Exchange Security (Gateway)
- Avira Internet Security Suite for Windows
- Avira Prime
- Avira Free Security Suite for Windows
- Cross Platform Anti-malware SDK

Attention:
Avira does not patch or update their very popular command line scanner 
that is still available for download on their website. Since Avira does 
not release and advisory their customers are none the wiser.

Avira licenses it's engine to many OEM Partners. The OEM Partners that 
use the Avira Engine may be vulnerable or not. I would advise that you 
reach out to the vendors listed below to know whether you are affected 
or not. OEM Partners
can reach out to me to retreive the POC in order to test.

AVIRA OEM Partners:
- F-Secure
- Sophos
- Barracude
- Alibaba Cloud Security
- Check Point
- CUJO AI
- TP-Link
- FujiSoft
- AWS
- Rohde and Schwarz
- Careerbuilder
- Huawei
- Dracoon
- Total Availability
- FixMeStick
- APPVISORY
- Tabidus
- Cyren


Source :
https://oem.avira.com/en/partnership/our-partners


I. Background
----------------------------
Quote: "We protect people—like you—across all devices, both directly and 
via our OEM partnerships.We provide a wide variety of best-in-class 
solutions to enhance your protection, performance,
and online privacy—ranging from antivirus to VPN and cleanup technologies.

A server security should get special attention, as a single employee 
might store a malicious file on the network and instantly cause a 
cascading damage across the entire organization.
With Avira's solutions for server security you can prevent such 
scenarios by protecting your network, data, and web traffic. "

Avira has the Trust Seal or the
http://www.teletrust.de/itsmig/


II. Description
----------------------------
The parsing engine supports the ZIP container format. The parsing engine 
can be bypassed  by specifically manipulating the ZIP Archive (GPFLag)
the Avira parser believes the file to be encrypted although it isn't. 
This leads to the Endpoint ignoring the archive and the Avira Gateway 
Solutions
to follow the "File is encrypted" logic.  By default this blocks the 
attachement.

According to my experience most companies are asking employees to 
encrypt archives when sending them via email. It is hence very likely 
that  passworded ZIP files would be allowed through the Gateway.

For these customers, this exploit will bypass the Gateway by leading it 
into the wrong logic path believing the file is encrypted. 7ZIP
extracts the file without prompt.

Avira argues that "In this case our product reacts as planned and 
defined in our product, we only support standard conform file types in 
this case, if the file header shows an encrypted file, we will not try 
unpack it. Using a gateway protection without using an endpoint 
protection cannot be taken into consideration as it violates common 
known standards like the defense in depth strategy."

In my experience companies are mixing AV vendors to increase the 
Detection rate. It should be quite common to not have Avira on the 
Endpoint if it
is used in the Gateway, there is no guarantee that this Endpoint would 
detect the sample that bypassed Avira on the Gateway.

However Avira doesn't believe so assuming all customers also have their 
Endpoint solution installed.

I tried to explain the threat model by refering to their own Website 
which claims that detection on servers is indeed very important
""Daher sollte auf Server-Sicherheit ein besonderes Augenmerk gerichtet 
werden – wenn nur ein einziger Mitarbeiter eine schädliche Datei im 
Netzwerk speichert, kann dadurch im gesamten Unternehmen eine fatale 
Kettenreaktion ausgelöst werden. Mit Aviras Lösung für Server-Sicherheit 
können Sie solche Szenarien verhindern und Ihr Netzwerk, Ihre Daten und 
Ihren Datenverkehr im Internet schützen.""


Weird discussions took place after that with Avira arguing that "Defence 
in Depth" is a default security strategy that customers should have, I 
am going to spare you that discussion.

In Summary: Avira has not patched this flaw (contrary to other Vendors). 
All CLient-side products (incldugin servers) will ignore the archive
and not scan it's contents. In case you believe you want AVIRA to focus 
on providing most coverage possible feel free to reach out to them. If 
you are an OEM partner I suggest you do the same.

III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within 
the organisation
of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the 
file through unscanned
and give it a clean bill of health. Server side AV software will not be 
able to discover
any code or sample contained within this ISO file and it will not raise 
suspicion even
if you know exactly what you are looking for (Which is for example great 
to hide your implants
or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore 
you with it in
this advisory I provide a link to my 2009 blog post
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
I advise customers on scancl.exe (or Unix Variant) to change to another 
vendor as Avira
is apparently no longer maintaining it, and apparently also not warning 
customers about
vulnerabilities

Furthermore should be be an enterprise customer of the OEM Partners 
above I suggest to
reach out to the vendor in order to understand whether this flaw was 
patched downstream
in their respective products.

I recommend to the amavisd project to warn users of this facts
https://gitlab.com/amavis/amavis/blob/master/amavisd.conf


In case you have any further questions please direct them to Avira, the 
above is based on
the best of my knowledge and since AVIRA does not release Advisories we 
are left in the dark
as to what they officially recommend.

V. Disclosure timeline
----------------------------

How Avira handled these reports in 2009 :
https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html

The below is a summary of 2-3 evasion reports that I have submitted.

See [TZO-001-2020] Avira for the overall coordination timeline, here is
the specific.

04-12-2019
"For our point of view this is an attack with a very low probability.

Gateway does not check encrypted files
In this case our product reacts as planned and defined in our product, 
we only support standard conform file types in this case, if the file 
header shows an encrypted file, we will not try unpack it.
In the further process the above mentioned conditions must be taken into 
consideration, which lowers the attack vector further.

Using a gateway protection without using an endpoint protection cannot 
be taken into consideration as it violates common known standards like 
the defense in depth strategy.

All in all I am sorry, but we will stay with our decision, which means, 
that we will not handle this as a vulnerability."

Editors note: AVIRA is arguing on "probability" which is risk 
management, that's fine for customers, but as Avira does not know the 
context
in which the customer is using the product it cannot rate the risk for 
thousands of enterprise customers. That's why generally, vulnerability
coordination focuses on the technical aspects and does not go into 
"probability" factors.

04-12-2019
- Avira closes the reports

05-12-2019
I reply with
"First you assume it is only 7zip it isn't. I only use 7zip because it 
is the most used in my experience within enterprises.
"if the file header shows an encrypted file" -> the archive is not encrypted
You have not taken into account at all that your customers will need to 
set the rule set to PASS on encrypted files leaving this UNENCRYPTED 
file unscanned. You could scan it but you choose not to, so this is 
bypassing your GW protection logic - which you seem not take into account.
You assume your customers have your endpoint solution installed, that is 
not necessarely the case, actually I would argue the opposite, more 
often than not. Regardless of the rationale above you already set it to 
not applicable. As discussed and agreed beforehand I will hence proceed 
to publish an advisory on the matter."

Quick Addendum : To talk to my "risk management point". You are talking 
about "probability", probability of occurence is for your customers to 
determine based on their use case and policy, during risk management. 
The probability that someone will use this method is actually high. Why 
? The costs of doing so (swapping a byte) is very low and the gain is high.

You made the wrong call, you should have changed your gateway logic and 
patch the vuln.

05-12-2019
Aviras reply "As discussed and agreed you can move on with the 
disclosure process.
We would kindly ask you for a quick note in the moment you publish the 
article."

05-12-2019 I request a list of affected products " I'd need a list of 
affected products from you. Any advice to customers on how to configure 
the product or any other mitigations?"

05-12-2019
Avira: "can you please clarify the usage of both?
Would these answers be publicly disclosed"

Editors Note: Didn't we just agree that I publish an advisory a few 
hours before ?

09-12-2019:
Avira replys, but does not provide a list of affected products.
The reply :
"Which software products are affected?
The feature of unpacking this highly manipulated und corrupted Zip file is
missing in all our consumer products, as our customers are protected by 
the real
time protection.

The Avira Exchange Security product will handle a mail with such a file 
attached
automatically in the "bad mail process", which is default assigned to 
send all
tagged mails to an administrator, but can be configured by the owner.

Mitigations/ Configuration advices:
For customers using our endpoint protection we recommend to not switch off
the real time protection, which is enabled by default."

09-12-2019
I wanted to make sure there is no misunderstanding, as a lot of 
components have effectively no "on access" scanner capability (Gateway, 
Cloud, Server)

"Thanks a lot, after reading throught this I have 2 Comments :

Can you double check for Avira Exchange? That is not the case, it will 
go into the "Encrypted file" liogic and follow the rule set for 
passworded files.
Have you consiedered your SMB range of products ? Especially Server, any 
further recommendations there? https://www.avira.com/de/server-security 
- Quote "Schutz für Datei-Server. Schützt alle auf Ihren Servern 
gespeicherten Daten vor Malware.""


09-12-2019
I follow up:
"The problem is that it won't have the same workflow in 95% of the cases 
as passworded files are mostly whitelisted. Which was my point in the 
report.
Files on servers are often stored and not executed, real time protection 
doesn't help alot in this particular case."

09-12-2019
Avira replies:

to comment 1:
In this case it would mean, that an owner decided to differ from the 
default and recommended configuration, which moves the layer of 
protection from the gateway to the endpoint protection. Which leads us 
to the point of "real time protection".

to comment 2:
So to be 100% accurate about that, we are talking about a manipulated 
zip file, which is stored on a share drive in the local area network, 
which I as a user can access and copy the file from to my local device?
OR We are talking about a manipulated zip file, which is stored in a 
share drive in the local area network, which I can access and unzip my 
file to? (So the share is not ready only?)


09-12-2019
My reply:s
"I have given presentations about this around 2011 - Rarely the same AV 
solution is used on the endpoint than on the Gateway (reasons are 
obvious you are most likely to detect more). In a scenario where avira 
would have detected the sample but symantec (endpoint) not you have 
failed to protect the customer. In addition we are usually talking about 
security goals of a product that fails or doesn't. Justifying that one 
product fails but another one would catch it is mudding the water and 
simply inconsistent. The security promises and goals are not true any 
longer. You cannot rely on your customer having other mitigations, 
that's also not what you promise customers of your GW product.

You use one example when there are hundreds. If I would be an APT i 
would store my stash isnide such a zip file since it can't be parser it 
won't be detected and stay dormant, EVEN if detection routines exist in 
DLP/AV product.

Whatever the protocol is, SMB, FTP, HTTP, CFIS. File is stored on server 
and processed remotely automatically or by a user. That is the reason we 
invest in server side AV. Which seems also to be the promise made to 
customers.

"Daher sollte auf Server-Sicherheit ein besonderes Augenmerk gerichtet 
werden – wenn nur ein einziger Mitarbeiter eine schädliche Datei im 
Netzwerk speichert, kann dadurch im gesamten Unternehmen eine fatale 
Kettenreaktion ausgelöst werden. Mit Aviras Lösung für Server-Sicherheit 
können Sie solche Szenarien verhindern und Ihr Netzwerk, Ihre Daten und 
Ihren Datenverkehr im Internet schützen."


10-12-2019

taking all your arguments in consideration we decided, that we will not 
investigate any further on this special case, as we do not accept your 
argumentation regarding an increased attack vector or an increased risk. 
The risk of this file is the same risk as of files being encrypted by
a password and storing the password in a text file next to the zipped file.

Regarding your comments we will stay with our argumentation, that a 
security approach and the mitigation of risk should not be based on one 
single layer of protection (Defense in Depth).

The following definition of these approach shows our argumentation in 
more details,
which we would highly recommend to take into consideration, especially 
if APT
attacks are part of your personal threat landscape.

Defense-in-Depth
"Information security strategy integrating people, technology, and 
operations capabilities to establish variable barriers across multiple 
layers and missions of the organization."
[Bill Bonney, Gary Hayslip, Matt Stamper: CISO Desk Reference Guide 
Volume 2, 2018]

Quoting the a white-paper published by the Department of Homeland 
Security in September 2016:

"An organization's cybersecurity strategy should protect the assets that it
deems critical to successful operation. Unfortunately, there are no 
shortcuts,
simple solutions, or "silver bullet" implementations to solve cybersecurity
vulnerabilities within critical infrastructure [...]. It requires a layered
approach known as Defense in Depth."
Department of Homeland Security, September 2016

We will close this ticket for now.

Thank you for contacting us and feel free to reach us with in case of 
any further findings or reports.

10-12-2019
My reply:
With all due respect, I am not discussing security strategies I am 
reporting vulnerabilities. I also don't think I need to be lectured on 
these. You are running a product vulnerability coordination program not 
an incident response program or risk management program in a company. 
Per definition this is a vulnerability.

You have not understood the threat model and keep talking about "risks". 
When I argue about Enterprise usage of your software you start to argue 
that APT is not part of my "personal" threat landscape.

I am giving up on this one and will let your customers decide. I 
understand you have no further recommendation for your enterprise 
customers using your server side protection."

21-12-2019
I realise that I have still not receive the list of affected products
"You have no answered my request for the list of affected products, I 
need a list of products that are affected if you want to respect our 
previous agreement and continue collaboration."

21-12-2019
"I provided an answer to that in my post from the 09 Dec 2019 15:20:42 UTC."
Note: They didn't (see above)

22-12-2019
"You have not provided an answer - I need a list of products (Server, 
Gateway, Client-side) that are unable to parse the archive.
You are talking about a gateway only."

No reply

13.02.2020
Release of this advisory.