Insecure service configuration - Antivirus

Insecure service configuration - Antivirus

Description

It is possible to evade antivirus signatures to upload and use hacking tools that are commonly detected by any antivirus by recompiling the binaries and source code of the tools and using obfuscation. This would allow an attacker to get information in memory, perform attacks on the Kerberos service or the organizations network, among others.

Impact

- Evade the organizations security controls to install malicious software.
- Exfiltrate data.
- Compromise data integrity.
- Affect server availability.

Recommendation

- Use on-disk monitoring systems to detect the use of malicious tools.
- Update detection and intelligence tools periodically.

Threat

Internal attacker in the network.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: H
  • Availability: L

Temporal

  • Exploit code maturity: F
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:F/RL:X/RC:X
  • Score:
    • Base: 6.8
    • Temporal: 6.6
  • Severity:
    • Base: Medium
    • Temporal: Medium

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

  • Attack vector: A
  • Attack complexity: L
  • Attack Requirements: N
  • Privileges required: L
  • User interaction: N
  • Confidentiality (VC): L
  • Integrity (VI): H
  • Availability (VA): L
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit maturity: A

Result 4.0

  • Vector string: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:A
  • Score:
    • CVSS-BT: 7.0
  • Severity:
    • CVSS-BT: High

Compliant code

Every resource in the network has monitoring systems and antivirus correctly setup.

                hosts: localhost
  vars:
  host: "192.168.122.40"
  username: "admin"
  password: ""
  vdom: "root"
  tasks:
- name: Configure AntiVirus profiles. app_antivirus_profile: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" antivirus_profile: state: "present" analytics-bl-filetype: "3 (source dlp.filepattern.id)" analytics-db: "disable" analytics-max-upload: "5" analytics-wl-filetype: "6 (source dlp.filepattern.id)" av-block-log: "enable" av-virus-log: "enable" content-disarm:... extended-log: "enable" ftgd-analytics: "disable" ftp:... http: archive-block: "encrypted" archive-log: "encrypted" emulator: "enable" options: "scan" outbreak-prevention: "enabled" inspection-mode: "proxy" smb:... smtp:...

Non compliant code

Some anti virus tools in the network are not up to date or poorly configured

                hosts: localhost
  vars:
  host: "192.168.122.40"
  username: "admin"
  password: "mypassword"
  vdom: "root"
  tasks:
- name: Configure AntiVirus profiles. app_antivirus_profile: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" antivirus_profile: state: "present" analytics-max-upload: "5" av-virus-log: "disable" extended-log: "enable" ftgd-analytics: "disable" http: emulator: "enable" options: "scan" outbreak-prevention: "disabled" inspection-mode: "proxy"

Requirements

Fixes

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.