Vulnerabilities discovered through independent security research by Spencer Alessi. Both CVEs target Webroot SecureAnywhere Endpoint Protection CE 23.1 (v.9.0.33.39 and earlier).
An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via the default allowlist feature being stored as non-admin. A local attacker can match their payload to a file name, file path, and file size of one of the files contained within the default allowlist to bypass protections.
The default allowlist feature in Webroot SecureAnywhere stores its configuration with non-administrative privileges. This means a local attacker, even without admin access, can craft malicious files that match the filename, file path, and file size of legitimately allowlisted files. By mimicking these attributes, the attacker's payload evades detection and bypasses the endpoint protection entirely.
An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via a crafted payload. A local attacker, as a non-administrator, can read the registry containing the default allowlist.
This vulnerability stems from improper access control on the Windows registry keys used by Webroot SecureAnywhere. The registry containing the default allowlist is readable by non-administrator users, exposing sensitive configuration data. By reading this registry information, a local attacker can determine exactly which files are allowlisted and then craft payloads specifically designed to bypass the endpoint protection by exploiting this knowledge.
