Release mode    : No Patch - Coordinated otherwise
Ref             : [TZO-13-2020] - AVIRA Generic AV Bypass (ZIP GPFLAG)
Vendor          : AVIRA
Status          : Not Patched 
CVE             : none provided,
Blog            : https://blog.zoller.lu
Vulnerability Dislosure Policy: https://caravelahq.com/b/policy/20949

Affected Products
=================
AV Engine below 8.3.54.138

All Avira products : 
- Avira Antivirus Server
- Avira Antivirus for Endpoint
- Avira Antivirus for Small Business
- Avira Exchange Security (Gateway)
- Avira Internet Security Suite for Windows
- Avira Prime
- Avira Free Security Suite for Windows
- Cross Platform Anti-malware SDK

Attention:
Avira does not patch or update their very popular command line scanner that is still available for download on their website. Since Avira does not release and advisory their customers are none the wiser.

Avira licenses it's engine to many OEM Partners. The OEM Partners that use the Avira Engine may be vulnerable or not. I would advise that you reach out to the vendors listed below to know whether you are affected or not. OEM Partners
can reach out to me to retreive the POC in order to test.

AVIRA OEM Partners:
- F-Secure
- Sophos
- Barracude
- Alibaba Cloud Security
- Check Point
- CUJO AI
- TP-Link
- FujiSoft
- AWS
- Rohde and Schwarz
- Careerbuilder
- Huawei
- Dracoon
- Total Availability
- FixMeStick
- APPVISORY
- Tabidus
- Cyren


Source : 
https://oem.avira.com/en/partnership/our-partners


I. Background
----------------------------
Quote: "We protect people—like you—across all devices, both directly and via our OEM partnerships.We provide a wide variety of best-in-class solutions to enhance your protection, performance, 
and online privacy—ranging from antivirus to VPN and cleanup technologies.

A server security should get special attention, as a single employee might store a malicious file on the network and instantly cause a cascading damage across the entire organization. 
With Avira's solutions for server security you can prevent such scenarios by protecting your network, data, and web traffic. "

Avira has the Trust Seal or the 
http://www.teletrust.de/itsmig/


II. Description
----------------------------
The parsing engine supports the ZIP container format. The parsing engine can be bypassed  by specifically manipulating the ZIP Archive (GPFLag)
the Avira parser believes the file to be encrypted although it isn't. This leads to the Endpoint ignoring the archive and the Avira Gateway Solutions
to follow the "File is encrypted" logic.  By default this blocks the attachement.

According to my experience most companies are asking employees to encrypt archives when sending them via email. It is hence very likely that  passworded ZIP files would be allowed through the Gateway. 

For these customers, this exploit will bypass the Gateway by leading it into the wrong logic path believing the file is encrypted. 7ZIP
extracts the file without prompt.

Avira argues that "In this case our product reacts as planned and defined in our product, we only support standard conform file types in this case, if the file header shows an encrypted file, we will not try unpack it. Using a gateway protection without using an endpoint protection cannot be taken into consideration as it violates common known standards like the defense in depth strategy."

In my experience companies are mixing AV vendors to increase the Detection rate. It should be quite common to not have Avira on the Endpoint if it
is used in the Gateway, there is no guarantee that this Endpoint would detect the sample that bypassed Avira on the Gateway. 

However Avira doesn't believe so assuming all customers also have their Endpoint solution installed.

I tried to explain the threat model by refering to their own Website which claims that detection on servers is indeed very important
""Daher sollte auf Server-Sicherheit ein besonderes Augenmerk gerichtet werden – wenn nur ein einziger Mitarbeiter eine schädliche Datei im Netzwerk speichert, kann dadurch im gesamten Unternehmen eine fatale Kettenreaktion ausgelöst werden. Mit Aviras Lösung für Server-Sicherheit können Sie solche Szenarien verhindern und Ihr Netzwerk, Ihre Daten und Ihren Datenverkehr im Internet schützen.""


Weird discussions took place after that with Avira arguing that "Defence in Depth" is a default security strategy that customers should have, I am going to spare you that discussion.

In Summary: Avira has not patched this flaw (contrary to other Vendors). All CLient-side products (incldugin servers) will ignore the archive
and not scan it's contents. In case you believe you want AVIRA to focus on providing most coverage possible feel free to reach out to them. If you are an OEM partner I suggest you do the same.

III. Impact
----------------------------
Impacts depends on the contextual use of the product and engine within the organisation
of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned
and give it a clean bill of health. Server side AV software will not be able to discover
any code or sample contained within this ISO file and it will not raise suspicion even 
if you know exactly what you are looking for (Which is for example great to hide your implants
or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore you with it in
this advisory I provide a link to my 2009 blog post 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory
----------------------------
I advise customers on scancl.exe (or Unix Variant) to change to another vendor as Avira
is apparently no longer maintaining it, and apparently also not warning customers about 
vulnerabilities

Furthermore should be be an enterprise customer of the OEM Partners above I suggest to
reach out to the vendor in order to understand whether this flaw was patched downstream
in their respective products.

I recommend to the amavisd project to warn users of this facts 
https://gitlab.com/amavis/amavis/blob/master/amavisd.conf


In case you have any further questions please direct them to Avira, the above is based on
the best of my knowledge and since AVIRA does not release Advisories we are left in the dark
as to what they officially recommend.

V. Disclosure timeline
----------------------------

How Avira handled these reports in 2009 :
https://blog.zoller.lu/2009/04/avira-antivir-generic-cab-bypass.html

The below is a summary of 2-3 evasion reports that I have submitted.

See [TZO-001-2020] Avira for the overall coordination timeline, here is
the specific.

04-12-2019
"For our point of view this is an attack with a very low probability.

Gateway does not check encrypted files
In this case our product reacts as planned and defined in our product, we only support standard conform file types in this case, if the file header shows an encrypted file, we will not try unpack it.
In the further process the above mentioned conditions must be taken into consideration, which lowers the attack vector further.

Using a gateway protection without using an endpoint protection cannot be taken into consideration as it violates common known standards like the defense in depth strategy.

All in all I am sorry, but we will stay with our decision, which means, that we will not handle this as a vulnerability."

Editors note: AVIRA is arguing on "probability" which is risk management, that's fine for customers, but as Avira does not know the context
in which the customer is using the product it cannot rate the risk for thousands of enterprise customers. That's why generally, vulnerability
coordination focuses on the technical aspects and does not go into "probability" factors.

04-12-2019
- Avira closes the reports

05-12-2019
I reply with 
"First you assume it is only 7zip it isn't. I only use 7zip because it is the most used in my experience within enterprises.
"if the file header shows an encrypted file" -> the archive is not encrypted
You have not taken into account at all that your customers will need to set the rule set to PASS on encrypted files leaving this UNENCRYPTED file unscanned. You could scan it but you choose not to, so this is bypassing your GW protection logic - which you seem not take into account.
You assume your customers have your endpoint solution installed, that is not necessarely the case, actually I would argue the opposite, more often than not. Regardless of the rationale above you already set it to not applicable. As discussed and agreed beforehand I will hence proceed to publish an advisory on the matter."

Quick Addendum : To talk to my "risk management point". You are talking about "probability", probability of occurence is for your customers to determine based on their use case and policy, during risk management. The probability that someone will use this method is actually high. Why ? The costs of doing so (swapping a byte) is very low and the gain is high.

You made the wrong call, you should have changed your gateway logic and patch the vuln.

05-12-2019
Aviras reply "As discussed and agreed you can move on with the disclosure process.
We would kindly ask you for a quick note in the moment you publish the article."

05-12-2019 I request a list of affected products " I'd need a list of affected products from you. Any advice to customers on how to configure the product or any other mitigations?"

05-12-2019 
Avira: "can you please clarify the usage of both?
Would these answers be publicly disclosed"

Editors Note: Didn't we just agree that I publish an advisory a few hours before ?

09-12-2019:
Avira replys, but does not provide a list of affected products.
The reply : 
"Which software products are affected?
The feature of unpacking this highly manipulated und corrupted Zip file is
missing in all our consumer products, as our customers are protected by the real
time protection.

The Avira Exchange Security product will handle a mail with such a file attached
automatically in the "bad mail process", which is default assigned to send all
tagged mails to an administrator, but can be configured by the owner.

Mitigations/ Configuration advices:
For customers using our endpoint protection we recommend to not switch off
the real time protection, which is enabled by default."

09-12-2019
I wanted to make sure there is no misunderstanding, as a lot of components have effectively no "on access" scanner capability (Gateway, Cloud, Server)

"Thanks a lot, after reading throught this I have 2 Comments :

Can you double check for Avira Exchange? That is not the case, it will go into the "Encrypted file" liogic and follow the rule set for passworded files.
Have you consiedered your SMB range of products ? Especially Server, any further recommendations there? https://www.avira.com/de/server-security - Quote "Schutz für Datei-Server. Schützt alle auf Ihren Servern gespeicherten Daten vor Malware.""


09-12-2019
I follow up:
"The problem is that it won't have the same workflow in 95% of the cases as passworded files are mostly whitelisted. Which was my point in the report.
Files on servers are often stored and not executed, real time protection doesn't help alot in this particular case."

09-12-2019
Avira replies:

to comment 1:
In this case it would mean, that an owner decided to differ from the default and recommended configuration, which moves the layer of protection from the gateway to the endpoint protection. Which leads us to the point of "real time protection".

to comment 2:
So to be 100% accurate about that, we are talking about a manipulated zip file, which is stored on a share drive in the local area network, which I as a user can access and copy the file from to my local device?
OR We are talking about a manipulated zip file, which is stored in a share drive in the local area network, which I can access and unzip my file to? (So the share is not ready only?)


09-12-2019
My reply"
"I have given presentations about this around 2011 - Rarely the same AV solution is used on the endpoint than on the Gateway (reasons are obvious you are most likely to detect more). In a scenario where avira would have detected the sample but symantec (endpoint) not you have failed to protect the customer. In addition we are usually talking about security goals of a product that fails or doesn't. Justifying that one product fails but another one would catch it is mudding the water and simply inconsistent. The security promises and goals are not true any longer. You cannot rely on your customer having other mitigations, that's also not what you promise customers of your GW product.

You use one example when there are hundreds. If I would be an APT i would store my stash isnide such a zip file since it can't be parser it won't be detected and stay dormant, EVEN if detection routines exist in DLP/AV product.

Whatever the protocol is, SMB, FTP, HTTP, CFIS. File is stored on server and processed remotely automatically or by a user. That is the reason we invest in server side AV. Which seems also to be the promise made to customers.

"Daher sollte auf Server-Sicherheit ein besonderes Augenmerk gerichtet werden – wenn nur ein einziger Mitarbeiter eine schädliche Datei im Netzwerk speichert, kann dadurch im gesamten Unternehmen eine fatale Kettenreaktion ausgelöst werden. Mit Aviras Lösung für Server-Sicherheit können Sie solche Szenarien verhindern und Ihr Netzwerk, Ihre Daten und Ihren Datenverkehr im Internet schützen."


10-12-2019

taking all your arguments in consideration we decided, that we will not investigate any further on this special case, as we do not accept your argumentation regarding an increased attack vector or an increased risk. The risk of this file is the same risk as of files being encrypted by
a password and storing the password in a text file next to the zipped file.

Regarding your comments we will stay with our argumentation, that a security approach and the mitigation of risk should not be based on one single layer of protection (Defense in Depth).

The following definition of these approach shows our argumentation in more details,
which we would highly recommend to take into consideration, especially if APT
attacks are part of your personal threat landscape.

Defense-in-Depth
"Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization."
[Bill Bonney, Gary Hayslip, Matt Stamper: CISO Desk Reference Guide Volume 2, 2018]

Quoting the a white-paper published by the Department of Homeland Security in September 2016:

"An organization's cybersecurity strategy should protect the assets that it
deems critical to successful operation. Unfortunately, there are no shortcuts,
simple solutions, or "silver bullet" implementations to solve cybersecurity
vulnerabilities within critical infrastructure [...]. It requires a layered
approach known as Defense in Depth."
Department of Homeland Security, September 2016

We will close this ticket for now.

Thank you for contacting us and feel free to reach us with in case of any further findings or reports.

10-12-2019
My reply:
With all due respect, I am not discussing security strategies I am reporting vulnerabilities. I also don't think I need to be lectured on these. You are running a product vulnerability coordination program not an incident response program or risk management program in a company. Per definition this is a vulnerability.

You have not understood the threat model and keep talking about "risks". When I argue about Enterprise usage of your software you start to argue that APT is not part of my "personal" threat landscape.

I am giving up on this one and will let your customers decide. I understand you have no further recommendation for your enterprise customers using your server side protection."

21-12-2019
I realise that I have still not receive the list of affected products
"You have no answered my request for the list of affected products, I need a list of products that are affected if you want to respect our previous agreement and continue collaboration."

21-12-2019
"I provided an answer to that in my post from the 09 Dec 2019 15:20:42 UTC."
Note: They didn't (see above)

22-12-2019
"You have not provided an answer - I need a list of products (Server, Gateway, Client-side) that are unable to parse the archive.
You are talking about a gateway only."

No reply

13.02.2020
Release of this advisory.