Comodo Antivirus is designed to protect desktops from unwanted intrusions and malware infections. However, the cybersecurity researchers were able to find security flaws which could weaken the protection the software offers.
Tenable research engineer David Wells has provided an in-depth explainer on the security vulnerabilities in a Medium blog post, describing how the security flaws can be used for sandbox escape and privilege escalation to the system level. Proof-of-concept code has also been released.
The first vulnerability, CVE-2019-3969, is an issue in the software's CmdAgent which permits attackers to bypass legitimate signing checks. If circumvented, attackers are able to perform local privilege escalation.
The second bug of note, CVE-2019-3970, is a severe problem in the handling of the Comodo virus definition database. Tenable says that the database is stored in a protected folder on disc but it is possible for any low privilege process to modify them in memory.
Another security flaw, CVE-2019-3971, is caused by an LCP port, cmdvrtLPCServerPort, which can be accessed and terminated -- together with its child svchost instances -- due to the use of hardcoded NULLs used for a memcpy source address.
Tenable also uncovered CVE-2019-3972, another CmdAgent.exe issue. The agent reads from a Section Object labeled as a SharedMemoryDictionary structure, and if modified by attackers, this can cause a crash and Out-of-bounds read.
There is a final vulnerability reported by the researchers, CVE-2019-3973, but this security flaw only impacts the antivirus software up to version 22.214.171.12482. The bug is caused by the exposure of a filter port by Cmdguard.sys, which a low privilege process can crash and compromise to secure a port handle. Once this has taken place, it is possible for crafted messages to be sent to trigger an out-of-bounds write, and potentially a kernel crash.
Tenable's findings were disclosed to Comodo on 17 April. By June, some of the vulnerabilities had been confirmed, with the LPE bug deemed by Comodo to be "partially due to Microsoft's fault," the researchers said.
Tenable requested clarification and informed the antivirus software provider of its plans to issue CVEs on 19 June. On 8 July, Tenable asked for a patch schedule, of which no fixes appear to have been released.
"At the time of this disclosure, we are not aware of any patches released by Comodo that address these vulnerabilities," Tenable said. "We recommend to keep updated on future Comodo Antivirus releases."
Comodo has not responded directly to requests for comment at the time of writing. However, a spokesperson told Infosecurity:
"There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."
Update 9.18 BST: A Microsoft spokesperson told ZDNet:
"Contrary to the claim made in the report, this is not a security vulnerability in our products and services."