Agnitum Outpost Security Suite Arbitrary Code Execution Vulnerability

A vulnerability allowing local attackers to execute arbitrary code has been identified in Agnitum Outpost Security Suite versions 7.5.3 (3942.608.1810) and 7.6 (3984.693.1842). The issue arises in the proactivity training mode, where the software mistakenly interprets the lock function as permission to allow actions. This flaw has been demonstrated to bypass the application's proactive protection by automating the process of locking the workstation after a program is launched, thereby exploiting the vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Reproduction

The vulnerability can be reproduced by setting Agnitum Outpost Security Suite to its maximum proactive protection mode. After inserting a new USB flash drive, the antivirus will prompt for permission to allow access. If the user locks the workstation while the prompt is active, the antivirus interprets this as a permission grant. This can be automated with a batch file that launches a program, waits for a few seconds, and then locks the workstation. Once the system is unlocked, the program will have been allowed to execute, potentially leading to the execution of arbitrary code.

Remediation

Users can upgrade to Agnitum Outpost Security Suite version 8.0 (4164.652.1856), released on December 17, 2012, to address this vulnerability.