Network Security, Vulnerability Management

Researchers disclose five unpatched bugs in Comodo Antivirus

Share

Researchers at Tenable have disclosed five unpatched vulnerabilities in Comodo Antivirus, which reportedly will be patched by Monday of next week.

The most significant of the zero-days appears to be CVE-2019-3969, a local privilege escalation condition that results from an flawed verification mechanism in the CmdAgent.exe process file.

"A local process can bypass the signature check enforced by CmdAgent via process hollowing which can then allow the process to invoke sensitive COM methods in CmdAgent such as writing to the registry with SYSTEM privileges," explains an official MITRE vulnerability description.

According to the NIST database, CVE-2019-3969 was assigned a CVSS v3.0 base score of 7.8, which is considered high in severity.

Tenable described this flaw in more detail in a blog post published earlier this week.

The other four flaws consist of an arbitrary file write via the modification of AV signatures (CVE-2019-3970), a denial of service condition (CVE-2019-3971), an out-of-bounds read (CVE-2019-3972) and an out-of-bounds write (CVE-2019-3973).

Tenable posted its proof-of-concept work for the five bugs on GitHub earlier this month, and summarized the flaws in a research advisory.

An Infosecurity report earlier this week quoted a Comodo spokesperson as follows: "There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.