Researchers have discovered a serious remote code execution vulnerability affecting products from Kaspersky Lab. The cybersecurity firm pushed out a patch to customers in early April.
Severe security flaws have been discovered in Kaspersky’s Anti-Virus File Server software.
On Wednesday, CoreLabs, the security arm of Core Security, issued a public advisory relating to a number of security problems in Kaspersky Anti-Virus for Linux File Server 220.127.116.117.
The antivirus software, certified as VMware Ready and able to support current versions of FreeBSD, is designed to protect workstations and file servers in complex networks from traditional cyberthreats.
There are four vulnerabilities in total; a cross-site scripting bug, a cross-site request forgery flaw, improper privilege management and improper limits set on pathnames to restricted directories, leading to the bypass of security protocols, information leaks, and remote code execution.
The first issue, a cross-site scripting bug (CVE-2017-9813), occurs as the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users — in particular, a feature allows configuring shell scripts to be executed when certain events occur.
If exploited, information stored in user cookies can be leaked, and if malicious scripts are loaded, it may be possible to remotely execute code on victim systems.
The scriptName parameter of the licenseKeyInfo action method is particularly vulnerable.
The second security flaw, CVE-2017-9810, is a cross-site request forgery issue which is caused by a lack of sufficient verification, due to there being no anti-CSRF tokens in any forms on the web interface.
When a web server receives requests, without this verification, malicious instructions can be sent, resulting in anything from hijacking sessions, data theft, or the launch of attacks against other products, depending on the user’s level of privilege.
The third vulnerability, CVE-2017-9811, relates to improper privilege management. According to the team, “the kluser is able to interact with the kav4fs-control binary [and] by abusing the quarantine read and write operations, it is possible to elevate the privileges to root.”
The final bug reported to Kaspersky, CVE-2017-9812, occurs due to the improper handling of a pathname to a restricted directory. In particular, the software’s reportId parameter of the getReportStatus action method can be abused to read arbitrary files with kluser privileges.
All the vulnerabilities are both locally and remotely exploitable, according to CoreLabs, which provided proof-of-concept (PoC) code in the advisory.
In addition, the bugs may impact other products and other versions of the server software, but the team have not tested them.
CoreLabs first made the Russian antivirus provider aware of the bugs back in April. The company then replicated the exploits and created a patch to resolve the issues, which was issued on 14 June.
Kaspersky’s advisory was also made public last week.
Hackers steal 7.5TB of data from Russian Intel Agency FSB’s contractorOn Saturday, 13 July 2019, a group of hackers going by the online handle of 0v1ru$ hacked and defaced the official website of SyTech, a high-profile contractor working for Russian intelligence...
Bluetooth Flaws Could Allow Global Tracking of Apple, Windows 10 DevicesIdentifying tokens and random addresses, meant to create anonymity, do not change in sync on some devices — opening an attack vector. Vulnerabilities in the way Bluetooth Low Energy is implemented...
Sprint says hackers breached customer accounts via Samsung websiteUS mobile network operator Sprint said hackers broke into an unknown number of customer accounts via the Samsung.com "add a line" website. "On June 22, Sprint was informed of unauthorized access to your...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!