📄 الوصف (الإنجليزية)
SAntivirus IC 10.0.21.61 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted executable path to inject malicious files in the service binary path, enabling privilege escalation to system-level permissions.
🤖 ملخص AI
CVE-2020-36980 is a local privilege escalation vulnerability in SAntivirus IC 10.0.21.61 affecting Windows systems through an unquoted service path. Attackers with local access can inject malicious executables into the service path to achieve SYSTEM-level code execution. While no public exploits are available, the vulnerability poses significant risk to organizations running this antivirus solution, particularly in Saudi government and enterprise environments.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 27, 2026 07:38
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability primarily impacts Saudi government agencies, financial institutions, and large enterprises using SAntivirus IC. High-risk sectors include: (1) Banking/SAMA-regulated institutions relying on this antivirus for endpoint protection; (2) Government/NCA entities and critical infrastructure operators; (3) Healthcare organizations under MOH oversight; (4) Energy sector including ARAMCO subsidiaries; (5) Telecommunications providers like STC and Mobily. The vulnerability enables insider threats and compromised user accounts to escalate to SYSTEM privileges, potentially bypassing security controls and enabling lateral movement across networks.
🏢 القطاعات السعودية المتأثرة
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Critical Infrastructure
Large Enterprises
🎯 تقنيات MITRE ATT&CK
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.011 - Boot or Logon Autostart Execution: Services
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
T1036.005 - Masquerading: Match Legitimate Name or Location
⚖️ درجة المخاطر السعودية (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all systems running SAntivirus IC 10.0.21.61 across your organization
2. Restrict local administrative access and enforce principle of least privilege
3. Monitor Windows Event Viewer for suspicious service path modifications
Patching Guidance:
1. Upgrade SAntivirus IC to version 10.0.21.62 or later immediately
2. Verify service path is properly quoted in Windows Registry (HKLM\SYSTEM\CurrentControlSet\Services)
3. Test patches in non-production environment before enterprise deployment
Compensating Controls (if immediate patching not possible):
1. Implement application whitelisting on affected systems
2. Enable Windows Defender Application Guard for additional isolation
3. Restrict write permissions to service binary directories
4. Deploy Host-based Intrusion Detection System (HIDS) monitoring
Detection Rules:
1. Monitor Registry modifications to service paths: HKLM\SYSTEM\CurrentControlSet\Services\*\ImagePath
2. Alert on executable creation in Program Files directories with suspicious names
3. Track process execution from unexpected paths with SYSTEM privileges
4. Monitor for DLL injection attempts targeting antivirus service processes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بـ SAntivirus IC 10.0.21.61 في المؤسسة
2. تقييد الوصول الإداري المحلي وفرض مبدأ الامتيازات الأقل
3. مراقبة سجل أحداث Windows للتعديلات المريبة على مسار الخدمة
إرشادات التصحيح:
1. ترقية SAntivirus IC إلى الإصدار 10.0.21.62 أو أحدث فوراً
2. التحقق من أن مسار الخدمة مقتبس بشكل صحيح في سجل Windows
3. اختبار التصحيحات في بيئة غير الإنتاج قبل النشر على مستوى المؤسسة
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ قائمة بيضاء للتطبيقات على الأنظمة المتأثرة
2. تفعيل Windows Defender Application Guard للعزل الإضافي
3. تقييد أذونات الكتابة لمجلدات ملفات الخدمة
4. نشر نظام كشف الاختراق المستند إلى المضيف (HIDS)
قواعد الكشف:
1. مراقبة تعديلات السجل لمسارات الخدمة
2. تنبيهات على إنشاء ملفات تنفيذية في مجلدات Program Files بأسماء مريبة
3. تتبع تنفيذ العمليات من مسارات غير متوقعة بامتيازات SYSTEM
4. مراقبة محاولات حقن DLL التي تستهدف عمليات خدمة مكافحة الفيروسات
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.8.1.1 - Asset management policy
A.12.2.1 - Change management procedures
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.AM-2 - Software inventory
PR.AC-1 - Access control policy
PR.PT-2 - Protective technology deployment
DE.CM-8 - Vulnerability scans
RS.MI-2 - Incident response procedures
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.6.1 - Internal organization
A.8.1 - Asset management
A.12.2 - Change management
A.12.6 - Management of technical vulnerabilities
A.14.2 - Development and support processes
🟣 PCI DSS v4.0.1
Requirement 2.2 - Configuration standards for system components
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning