Researchers have discovered a serious remote code execution vulnerability affecting products from Kaspersky Lab. The cybersecurity firm pushed out a patch to customers in early April.
Severe security flaws have been discovered in Kaspersky’s Anti-Virus File Server software.
On Wednesday, CoreLabs, the security arm of Core Security, issued a public advisory relating to a number of security problems in Kaspersky Anti-Virus for Linux File Server 22.214.171.1247.
The antivirus software, certified as VMware Ready and able to support current versions of FreeBSD, is designed to protect workstations and file servers in complex networks from traditional cyberthreats.
There are four vulnerabilities in total; a cross-site scripting bug, a cross-site request forgery flaw, improper privilege management and improper limits set on pathnames to restricted directories, leading to the bypass of security protocols, information leaks, and remote code execution.
The first issue, a cross-site scripting bug (CVE-2017-9813), occurs as the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users — in particular, a feature allows configuring shell scripts to be executed when certain events occur.
If exploited, information stored in user cookies can be leaked, and if malicious scripts are loaded, it may be possible to remotely execute code on victim systems.
The scriptName parameter of the licenseKeyInfo action method is particularly vulnerable.
The second security flaw, CVE-2017-9810, is a cross-site request forgery issue which is caused by a lack of sufficient verification, due to there being no anti-CSRF tokens in any forms on the web interface.
When a web server receives requests, without this verification, malicious instructions can be sent, resulting in anything from hijacking sessions, data theft, or the launch of attacks against other products, depending on the user’s level of privilege.
The third vulnerability, CVE-2017-9811, relates to improper privilege management. According to the team, “the kluser is able to interact with the kav4fs-control binary [and] by abusing the quarantine read and write operations, it is possible to elevate the privileges to root.”
The final bug reported to Kaspersky, CVE-2017-9812, occurs due to the improper handling of a pathname to a restricted directory. In particular, the software’s reportId parameter of the getReportStatus action method can be abused to read arbitrary files with kluser privileges.
All the vulnerabilities are both locally and remotely exploitable, according to CoreLabs, which provided proof-of-concept (PoC) code in the advisory.
In addition, the bugs may impact other products and other versions of the server software, but the team have not tested them.
CoreLabs first made the Russian antivirus provider aware of the bugs back in April. The company then replicated the exploits and created a patch to resolve the issues, which was issued on 14 June.
Kaspersky’s advisory was also made public last week.
EHR Vendor Slapped With HIPAA FineInvestigation Came in Wake of Cyberattack That Affected Millions Federal regulators have smacked a cloud-based electronics health records vendor with a $100,000 HIPAA settlement in the wake of a 2015 cyberattack that affected millions...
‘BlueKeep’ Windows Remote Desktop flaw gets PoC exploitsMultiple researchers created proof-of-concept exploits, including remote code execution attacks, targeting the recently patched Windows Remote Desktop flaw called BlueKeep. Microsoft patched a...
Database with millions of Instagram influencers’ info leaked onlineThe leaked database was discovered on Shodan on May 14th. A huge online database containing private contact information including phone numbers and email IDs of roughly 50 million Instagram profiles...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!