afmtd Exploitable

Mike_Molyneux

Hi.

I'm seeing some servers showing this misconfigutation under 'Security risks' in GravityZone, but other servers aren't....even though the same OS and patch level. I've tried applying some of the workarounds listed for this (CVE-2020-1020) but some servers are still showing. And it's driving me mad. Trying to see if there's any policy differences (or anything else) that are applying to some servers and not others. Any help would be appreciated. thanks

NunesElton

Hello,

I have the same problem, any for help me? I have a active signature of bitdefender gravityzone.

Thanks.

James1984

I have been seeing the same for a few weeks now. I have tried the workarounds also but no luck. Everything is patched.

Mike_Molyneux

I've logged it with support... so will see where this goes!

James1984

> @Mike_Molyneux said:
> I've logged it with support... so will see where this goes!

I have too

Cyber254

I had the same problem. I found out that for all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. Are you running Windows 10? If so, I would ignore the risk. Or use the workaround below at your own risk.

DisableATMFD registry key using a managed deployment script

Please Note: This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

1. Create a text file named ATMFD-disable.reg that contains the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DisableATMFD"=dword:00000001

1. Run regedit.exe.
2. In Registry Editor, click the File menu and then click Import.
3. Navigate to and select the** ATMFD-disable.reg** file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).
4. Click Open and then click OK to close Registry Editor.
5. Restart the system.

James1984

Problem went away for about a month but now it's back. Anyone else seeing this again?

James1984

As of today 5/19/2022, I am seeing this again. Anyone else?

Gjoksi

@James1984

Since you need help with GravityZone, @Alex_Dr and @Andra_B could take a look here and help you.

Also, you could contact the Bitdefender business support by email here:

https://www.bitdefender.com/support/contact-us.html?last_page=BusinessCategory

Regards.

Alex_Dr

@Mike_Molyneux,

The best course of action in this case is getting in contact with the Enterprise Support team, which you have already done. They will need to perform additional troubleshooting via logs or remote session, if the situation requires, to make sure that your network is not currently exploitable via code attacks.

@James1984 I suggest you follow the same course of action as Mike and keep us posted on this thread with the solution provided by the Enterprise Team so we can have it on hand should there be other users that are encountering this, documented and prepared.

Thank you and keep us posted so we can fix this as soon as possible.

Alex D.