________________________________________________________________________ From the low-hanging-fruit-department AVIRA Generic Malformed Container bypass (ISO Container) ________________________________________________________________________ Release mode : Coordinated disclosure / Vendor does not disclose CVE : CVE-2020-9320 Ref : [TZO-19-2020] - AVIRA Generic AV Bypass (ISO Container) Vendor : AVIRA Status : PATCHED - Engine version 8.3.54.138. CVE : none provided, Blog : https://blog.zoller.lu/p/from-low-hanging-fruit-department-avira.html Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949 Affected Products ================= AV Engine below 8.3.54.138 All Avira products : - Avira Antivirus Server - Avira Antivirus for Endpoint - Avira Antivirus for Small Business - Avira Exchange Security (Gateway) - Avira Internet Security Suite for Windows - Avira Prime - Avira Free Security Suite for Windows - Cross Platform Anti-malware SDK Attention: Avira does not patch or update their very popular command line scanner that is still available for download on their website. Since Avira does not release and advisory their customers are none the wiser. Avira licenses it's engine to many OEM Partners. The OEM Partners that use the Avira Engine may be vulnerable or not. I would advise that you reach out to the vendors listed below to know whether you are affected or not. OEM Partners can reach out to me to retreive the POC in order to test. AVIRA OEM Partners: - F-Secure - Sophos - Barracude - Alibaba Cloud Security - Check Point - CUJO AI - TP-Link - FujiSoft - AWS - Rohde and Schwarz - Careerbuilder - Huawei - Dracoon - Total Availability - FixMeStick - APPVISORY - Tabidus - Cyren Source : https://oem.avira.com/en/partnership/our-partners I. Background ---------------------------- Quote: "We protect people—like you—across all devices, both directly and via our OEM partnerships.We provide a wide variety of best-in-class solutions to enhance your protection, performance, and online privacy—ranging from antivirus to VPN and cleanup technologies. A server security should get special attention, as a single employee might store a malicious file on the network and instantly cause a cascading damage across the entire organization. With Avira's solutions for server security you can prevent such scenarios by protecting your network, data, and web traffic. " Avira has the Trust Seal or the http://www.teletrust.de/itsmig/ II. Description ---------------------------- The parsing engine supports the ISO container format. The parsing engine can be bypassed by specifically manipulating the ISO Archive This leads to the Endpoint ignoring the container and the Gateways to let this file slip through uninspected. III. Impact ---------------------------- It bypasses Avira perimeter defenses and sheduled AV scans. Impacts depends on the contextual use of the product and engine within the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ISO file and it will not raise suspicion even if you know exactly what you are looking for (Which is for example great to hide your implants or Exfiltration/Pivot Server). There is a lot more to be said about this bug class, so rather than bore you with it in this advisory I provide a link to my 2009 blog post http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Patch / Advisory ---------------------------- PATCHED - Engine version 8.3.54.138. V. Disclosure timeline ---------------------------- How Avira handled these reports in 2009 : https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html 28 NOV 2019 Submitted the Vulnerabiltiy Details 04 DEC 2019 AVIRA releases a patch but doesn't inform the public and/or customers.