Unpatched vulnerabilities lurk in Comodo Antivirus

Updated: Updates to resolve the security flaws are expected to land on Monday.

Comodo Antivirus software contains a swathe of severe vulnerabilities which may place users at risk, researchers say. 

According to a security advisory published by Tenable Research, version 12.0.0.6810 of Comodo Antivirus and Comodo Antivirus Advanced contain multiple vulnerabilities. 

Comodo Antivirus is designed to protect desktops from unwanted intrusions and malware infections. However, the cybersecurity researchers were able to find security flaws which could weaken the protection the software offers. 

Tenable research engineer David Wells has provided an in-depth explainer on the security vulnerabilities in a Medium blog post, describing how the security flaws can be used for sandbox escape and privilege escalation to the system level. Proof-of-concept code has also been released.

The first vulnerability, CVE-2019-3969, is an issue in the software's CmdAgent which permits attackers to bypass legitimate signing checks. If circumvented, attackers are able to perform local privilege escalation. 

See also: This Trojan exploits antivirus software to steal your data

The second bug of note, CVE-2019-3970, is a severe problem in the handling of the Comodo virus definition database. Tenable says that the database is stored in a protected folder on disc but it is possible for any low privilege process to modify them in memory.

Another security flaw, CVE-2019-3971, is caused by an LCP port, cmdvrtLPCServerPort, which can be accessed and terminated -- together with its child svchost instances -- due to the use of hardcoded NULLs used for a memcpy source address. 

Tenable also uncovered CVE-2019-3972, another CmdAgent.exe issue. The agent reads from a Section Object labeled as a SharedMemoryDictionary structure, and if modified by attackers, this can cause a crash and Out-of-bounds read.

There is a final vulnerability reported by the researchers, CVE-2019-3973, but this security flaw only impacts the antivirus software up to version 11.0.0.6582. The bug is caused by the exposure of a filter port by Cmdguard.sys, which a low privilege process can crash and compromise to secure a port handle. Once this has taken place, it is possible for crafted messages to be sent to trigger an out-of-bounds write, and potentially a kernel crash. 

CNET: Stock-trading site Robinhood might have stored your password in plaintext

Tenable's findings were disclosed to Comodo on 17 April. By June, some of the vulnerabilities had been confirmed, with the LPE bug deemed by Comodo to be "partially due to Microsoft's fault," the researchers said. 

Tenable requested clarification and informed the antivirus software provider of its plans to issue CVEs on 19 June. On 8 July, Tenable asked for a patch schedule, of which no fixes appear to have been released.

"At the time of this disclosure, we are not aware of any patches released by Comodo that address these vulnerabilities," Tenable said. "We recommend to keep updated on future Comodo Antivirus releases."

TechRepublic: 83% have experienced a DDoS attack in the past two years, survey finds

Comodo has not responded directly to requests for comment at the time of writing. However, a spokesperson told Infosecurity:

"There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."

Update 9.18 BST: A Microsoft spokesperson told ZDNet:

"Contrary to the claim made in the report, this is not a security vulnerability in our products and services."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0