FireEye Fixes Bypass Flaw

Monday, February 22, 2016 @ 04:02 PM gHale

FireEye fixed a high severity vulnerability in its products that allowed an attacker to bypass its detection engine and temporarily whitelist malware.

The vulnerability first went over to FireEye in September and the company patched it in October with the release of FireEye Operating System (FEOS) updates.

Cisco Fixes Firewall Vulnerability
BlackEnergy using Tainted Word Documents
Malware Targeting Ukraine Power Grids
Cloud Provider Under Attack

However, in mid-January, FireEye asked Blue Frost Security, which found the vulnerability, to postpone its initial disclosure date by 30 days because customers had still not applied the updates.

The issue is in the Virtual Execution Engine (VXE), a system used by the company’s products to performs dynamic analysis on files.

The list of affected products includes FireEye Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX).

When conducting analysis on a Windows machine, the engine copies the targeted binary into a virtual machine with the name “malware.exe.” Before the file ends up analyzed, a batch script copies the binary to a temporary location and renames it to its original filename.

Researchers discovered since the original filename does not end up sanitized, an attacker can assign the file a different name by tampering with Windows environment variables.

The batch script normally attempts to execute the file in the virtual machine and monitor it for malicious behavior. However, since the filename is invalid, the copying operation fails and the file no longer executes, which results in the system detecting no malicious activity.

If a file ends up marked as non-malicious, its MD5 hash ends up added to a list of binaries already analyzed. Files matching the MD5 hashes added to this whitelist do not end up analyzed until the next day when the list clears.

“This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address,” Blue Frost Security said in its advisory. “Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”

FireEye patched the vulnerability with the release of FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2.