Researchers have discovered a serious remote code execution vulnerability affecting products from Kaspersky Lab. The cybersecurity firm pushed out a patch to customers in early April.
Severe security flaws have been discovered in Kaspersky’s Anti-Virus File Server software.
On Wednesday, CoreLabs, the security arm of Core Security, issued a public advisory relating to a number of security problems in Kaspersky Anti-Virus for Linux File Server 126.96.36.1997.
The antivirus software, certified as VMware Ready and able to support current versions of FreeBSD, is designed to protect workstations and file servers in complex networks from traditional cyberthreats.
There are four vulnerabilities in total; a cross-site scripting bug, a cross-site request forgery flaw, improper privilege management and improper limits set on pathnames to restricted directories, leading to the bypass of security protocols, information leaks, and remote code execution.
The first issue, a cross-site scripting bug (CVE-2017-9813), occurs as the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users — in particular, a feature allows configuring shell scripts to be executed when certain events occur.
If exploited, information stored in user cookies can be leaked, and if malicious scripts are loaded, it may be possible to remotely execute code on victim systems.
The scriptName parameter of the licenseKeyInfo action method is particularly vulnerable.
The second security flaw, CVE-2017-9810, is a cross-site request forgery issue which is caused by a lack of sufficient verification, due to there being no anti-CSRF tokens in any forms on the web interface.
When a web server receives requests, without this verification, malicious instructions can be sent, resulting in anything from hijacking sessions, data theft, or the launch of attacks against other products, depending on the user’s level of privilege.
The third vulnerability, CVE-2017-9811, relates to improper privilege management. According to the team, “the kluser is able to interact with the kav4fs-control binary [and] by abusing the quarantine read and write operations, it is possible to elevate the privileges to root.”
The final bug reported to Kaspersky, CVE-2017-9812, occurs due to the improper handling of a pathname to a restricted directory. In particular, the software’s reportId parameter of the getReportStatus action method can be abused to read arbitrary files with kluser privileges.
All the vulnerabilities are both locally and remotely exploitable, according to CoreLabs, which provided proof-of-concept (PoC) code in the advisory.
In addition, the bugs may impact other products and other versions of the server software, but the team have not tested them.
CoreLabs first made the Russian antivirus provider aware of the bugs back in April. The company then replicated the exploits and created a patch to resolve the issues, which was issued on 14 June.
Kaspersky’s advisory was also made public last week.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!