Weaknesses in Heimdal’s Thor line of products

Alexander Drabek
6 min readDec 5, 2023

--

During the security assessment of various solutions, I observed several weaknesses in Heimdal’s Thor line of products. Whilst I will outline the descriptions and steps to reproduce the reported CVEs, it is important to note that there are numerous other weaknesses, such as inadequate coverage of security restrictions on different platforms, lack of control over certain aspects, or frequent issues with self-updating both Windows and Mac. This solution is built mainly for MS Windows. The vendor was responsive throughout and agreed with some but not all of the points raised.

Content:

· CVE-2023–29485 — bypass network filtering rules (DarkLayer Guard)

· CVE-2023–29486 — bypass of USB access restrictions

· CVE-2023–29487 — lack of information about the offending process (TTPC)

Bypass of Heimdal Thor Threat Prevention Modules — DarkLayer Guard Policies — CVE-2023–29485

All versions of Heimdal Threat Prevention Modules (sub-modules: DarkLayer Guard, TTPC, VectorN Detection) for Windows and Mac were affected at the time of writing. At the time of writing the tested clients are up to version 3.5.3 of Windows client and up to 2.6.9 for Mac.

This vulnerability allows an attacker to bypass network filtering rules (DarkLayer Guard Network traffic policies) by multiple methods. The component does not intercept traffic correctly, and it fails open. This in turn can result in violation of specified restrictions and impact the integrity and confidentiality of the endpoint and its data as well as allow data exfiltration or download of prohibited content or malicious payloads.

To put it simply, website restrictions can be bypassed using any of the following methods:

1. A TOR browser, as well as a built-in TOR component in the Brave browser

2. Any browser with a VPN plugin

3. Any online proxy website

The vendor acknowledged the issue and is working on a fix for blocking TOR traffic but I have not tested if this fix was released. It is unknown if the users will receive adequate protection against online proxies, websites that offer proxy services not for those who try to use VPN plugins as vendor does not plan to monitor those.

Note that version 3.5.3 is also affected on Windows but it blocked the TOR browser(firefox) process via its Ransomware protection module (as opposed to the client in the 3.4.2 version) however other listed bypasses still function as well as a TOR connection can be established both manually and via Brave browser.

Examples of accessing prohibited website:

Note that the Endpoint policy must be configured to enable Dark Layer Guard, a blacklist with the test domain needs to be added, and related settings hardened to ensure the product is configured in the best possible way (such as Full Logging, Improve TTPC accuracy among many others), and I worked with the vendor on the fine-tuning policy. Lastly, do ensure that the policy synced with the endpoint in question (often the policy requires several reboots and some time to work after its been synced). Below are just examples of bypasses.

Heimdal Dashboard — Relevant settings from active endpoint policy
Bypass via a TOR browser, as well as a built-in TOR component in the Brave browser
Bypass via a TOR browser, as well as a built-in TOR component in the Brave browser
Bypass via browser with a VPN plugin
Bypass via online proxy website

Bypass of USB access restrictions — Heimdal Thor Next Gen AV Enterprise — CVE-2023–29486

All versions of Heimdal Thor Next Gen AV for Windows. At the time of writing the tested clients are up to version 3.5.3 of Windows client. Fix was introduced in the 3.7 version of the Heimdal Thor AV client and it resolves this issue.

Heimdal Dashboard — Relevant settings from active endpoint policy

An attacker can utilize the flaw in Heimdal Thor AV to bypass restrictions and access restricted USB storage devices via two methods.
The first method is via ADB (android debug bridge). Android debug bridge which would require a phone with debug options enabled and viewer via either cmd or Android studio as shown below.

The second is to bypass USB restrictions via a VM controller that allows access to the USB inside the VM with no restrictions. A VM USB controller/driver allows for bypassing all USB storage access restrictions and does not require a specific configuration for the phone or USB stick. This in turn heavily impacts the integrity of the endpoint and confidentiality of the data.

An unspecified issue causes a lack of TTPC — Heimdal Thor Threat Prevention Modules — CVE-2023–29487

All versions of Heimdal Thor Threat Prevention Modules (sub-modules: DarkLayer Guard, TTPC, VectorN Detection) for Windows and Mac are affected. At the time of writing the tested clients are up to version 3.5.3 of Windows client and up to 2.6.9 for Mac.

Due to an unknown flaw, the component fails to display the correct information about the offending process. This in turn heavily impacts the integrity and availability of the data for the investigation as the same threat is detected only from time to time.

A TTPC (Threat to Process Correlation) is essentially a piece of information from an endpoint agent about which process caused a security violation and was blocked.

Note that the same test was repeated with the vendor on the support call. A Brave browser with no VPN or other security plugins was used to navigate to the download page of prohibited software (TOR browser). Unfortunately, the Heimdal Thor AV and its modules did not identify/fingerprinted the offending Brave process thus leaving the field blank. In addition, right after this test, an attempt to download the same software using a VM with a Firefox browser was attempted. There was also no information regarding TTPC thus preventing correct identification of the offending process and path. It should be noted that the same test on the same machine was performed a day before and Heimdal Thor AV recorded the offending browser processes correctly. Sometimes the AV software will detect the offending process but it is not reliable enough.

The vendor is working on a fix but the result was not fully tested to confirm that issues were fully resolved.

--

--

No responses yet