Vulnerabilities > CVE-2019-3970 - Exposure of Resource to Wrong Sphere vulnerability in Comodo Antivirus

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
local
low complexity
comodo
CWE-668
nessus

Summary

Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to Arbitrary File Write due to Cavwp.exe handling of Comodo's Antivirus database. Cavwp.exe loads Comodo antivirus definition database in unsecured global section objects, allowing a local low privileged process to modify this data directly and change virus signatures.

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idCOMODO_TRA_2019_34.NASL
descriptionThe version of the Comodo security product installed on the remote Windows host is affected by multiple vulnerabilities: - A Local Privilege Escalation due to CmdAgent
last seen2020-06-01
modified2020-06-02
plugin id126953
published2019-07-23
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/126953
titleComodo Antivirus / Internet Security Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(126953);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/18 23:14:15");

  script_cve_id(
    "CVE-2019-3969",
    "CVE-2019-3970",
    "CVE-2019-3971",
    "CVE-2019-3972"
  );
  script_xref(name:"TRA", value:"TRA-2019-34");

  script_name(english:"Comodo Antivirus / Internet Security Multiple Vulnerabilities");
  script_summary(english:"Checks version of Comodo Internet Security");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an antivirus application installed that 
is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of the Comodo security product installed on the remote Windows
host is affected by multiple vulnerabilities:

  - A Local Privilege Escalation due to CmdAgent's handling
    of COM clients. A local process can bypass the signature
    check enforced by CmdAgent via process hollowing which
    can then allow the process to invoke sensitive COM
    methods in CmdAgent such as writing to the registry with
    SYSTEM privileges.(CVE-2019-3969)

  - An Arbitrary File Write due to Cavwp.exe handling of
    Comodo's Antivirus database. Cavwp.exe loads Comodo
    antivirus definition database in unsecured global
    section objects, allowing a local low privileged process
    to modify this data directly and change virus
    signatures. (CVE-2019-3970)

  - A local Denial of Service affecting CmdVirth.exe via its
    LPC port cmdvrtLPCServerPort. A low privileged local
    process can connect to this port and send an
    LPC_DATAGRAM, which triggers an Access Violation due to
    hardcoded NULLs used for Source parameter in a memcpy
    operation that is called for this handler. This results
    in CmdVirth.exe and its child svchost.exe instances to
    terminate. (CVE-2019-3971)

  - A Denial of Service affecting CmdAgent.exe via an
    unprotected section object <GUID>_CisSharedMemBuff. This
    section object is exposed by CmdAgent and contains a
    SharedMemoryDictionary object, which allows a low
    privileged process to modify the object data causing
    CmdAgent.exe to crash. (CVE-2019-3972)

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  # https://www.tenable.com/security/research/tra-2019-34
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2c5df8c5");
  script_set_attribute(attribute:"solution", value:
"No known fix, refer to vendor for further information.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3969");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("comodo_internet_security_installed.nasl");
  script_require_keys("SMB/Comodo Internet Security/Version", "SMB/Comodo Internet Security/Path");

  exit(0);
}

include("vcf.inc");

app = "Comodo Internet Security";
app_info = vcf::get_app_info(app:app);

if (report_paranoia < 2)
{
  if(ver_compare(ver:app_info.version, fix:"12.0.0.6810")>0)
    audit(AUDIT_POTENTIAL_VULN, app, app_info.version);
  constraints = [{ "min_version" : "0", "max_version":"12.0.0.6810", "fixed_display":"No known fix, refer to vendor for further information."}];
}
else
  constraints = [{ "min_version" : "0", "fixed_display":"No known fix, refer to vendor for further information."}];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);