afmtd Exploitable

Hi.

I'm seeing some servers showing this misconfigutation under 'Security risks' in GravityZone, but other servers aren't....even though the same OS and patch level. I've tried applying some of the workarounds listed for this (CVE-2020-1020) but some servers are still showing. And it's driving me mad. Trying to see if there's any policy differences (or anything else) that are applying to some servers and not others. Any help would be appreciated. thanks


Comments

  • Hello,


    I have the same problem, any for help me? I have a active signature of bitdefender gravityzone.

    Thanks.

  • I have been seeing the same for a few weeks now. I have tried the workarounds also but no luck. Everything is patched.
  • I've logged it with support... so will see where this goes!

  • > @Mike_Molyneux said:
    > I've logged it with support... so will see where this goes!

    I have too
  • I had the same problem. I found out that for all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. Are you running Windows 10? If so, I would ignore the risk. Or use the workaround below at your own risk.

    DisableATMFD registry key using a managed deployment ******

    Please Note: This workaround works for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows 8.1. ATMFD.DLL is not present in Windows 10 installations starting with Windows 10, version 1709.

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    1. Create a text file named ATMFD-disable.reg that contains the following text:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DisableATMFD"=dword:00000001
    
    1. Run regedit.exe.
    2. In Registry Editor, click the File menu and then click Import.
    3. Navigate to and select the** ATMFD-disable.reg** file that you created in the first step. (Note If your file is not listed where you expect it to be, ensure that it has not been automatically given a .txt file extension, or change the dialog’s file extension parameters to All Files).
    4. Click Open and then click OK to close Registry Editor.
    5. Restart the system.


  • Problem went away for about a month but now it's back. Anyone else seeing this again?
  • As of today 5/19/2022, I am seeing this again. Anyone else?

  • Gjoksi
    Gjoksi DEFENDER OF THE YEAR 2022 / DEFENDER OF THE MONTH ✭✭✭✭✭

    @James1984

    Since you need help with GravityZone, @Alex_Dr and @Andra_B could take a look here and help you.

    Also, you could contact the Bitdefender business support by email here:

    https://www.bitdefender.com/support/contact-us.html?last_page=BusinessCategory

    Regards.

  • Alex_Dr
    Alex_Dr Quality & Customer Experience Specialist BD Staff

    @Mike_Molyneux,


    The best course of action in this case is getting in contact with the Enterprise Support team, which you have already done. They will need to perform additional troubleshooting via logs or remote session, if the situation requires, to make sure that your network is not currently exploitable via code attacks.

    @James1984 I suggest you follow the same course of action as Mike and keep us posted on this thread with the solution provided by the Enterprise Team so we can have it on hand should there be other users that are encountering this, documented and prepared.


    Thank you and keep us posted so we can fix this as soon as possible.

    Alex D.

  • I am seeing this too on 2023. Servers fully patched! What can be done?

  • Rlopez_bit
    edited March 2023

    I have too the same problem, my servers are fully patched

  • Almost a year now since my first post and I am still seeing this.

  • Alex_Dr
    Alex_Dr Quality & Customer Experience Specialist BD Staff

    Hello @James1984 ,

    Have you tried getting in contact with the enterprise support team regarding this? If so, can you please provide a case number so I can follow-up and check status of case?


    Best regards,

    Alex D.