813-999-0631 info@tetratos.com
Remote Code Execution Flaw Found in Kaspersky Products

May 13, 2019

Researchers have discovered a serious remote code execution vulnerability affecting products from Kaspersky Lab. The cybersecurity firm pushed out a patch to customers in early April.

Severe security flaws have been discovered in Kaspersky’s Anti-Virus File Server software.

On Wednesday, CoreLabs, the security arm of Core Security, issued a public advisory relating to a number of security problems in Kaspersky Anti-Virus for Linux File Server 8.0.3.297.

The antivirus software, certified as VMware Ready and able to support current versions of FreeBSD, is designed to protect workstations and file servers in complex networks from traditional cyberthreats.

There are four vulnerabilities in total; a cross-site scripting bug, a cross-site request forgery flaw, improper privilege management and improper limits set on pathnames to restricted directories, leading to the bypass of security protocols, information leaks, and remote code execution.

The first issue, a cross-site scripting bug (CVE-2017-9813), occurs as the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users — in particular, a feature allows configuring shell scripts to be executed when certain events occur.

If exploited, information stored in user cookies can be leaked, and if malicious scripts are loaded, it may be possible to remotely execute code on victim systems.

The scriptName parameter of the licenseKeyInfo action method is particularly vulnerable.

The second security flaw, CVE-2017-9810, is a cross-site request forgery issue which is caused by a lack of sufficient verification, due to there being no anti-CSRF tokens in any forms on the web interface.

When a web server receives requests, without this verification, malicious instructions can be sent, resulting in anything from hijacking sessions, data theft, or the launch of attacks against other products, depending on the user’s level of privilege.

The third vulnerability, CVE-2017-9811, relates to improper privilege management. According to the team, “the kluser is able to interact with the kav4fs-control binary [and] by abusing the quarantine read and write operations, it is possible to elevate the privileges to root.”

The final bug reported to Kaspersky, CVE-2017-9812, occurs due to the improper handling of a pathname to a restricted directory. In particular, the software’s reportId parameter of the getReportStatus action method can be abused to read arbitrary files with kluser privileges.

All the vulnerabilities are both locally and remotely exploitable, according to CoreLabs, which provided proof-of-concept (PoC) code in the advisory.

In addition, the bugs may impact other products and other versions of the server software, but the team have not tested them.

CoreLabs first made the Russian antivirus provider aware of the bugs back in April. The company then replicated the exploits and created a patch to resolve the issues, which was issued on 14 June.

Kaspersky’s advisory was also made public last week.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Get weekly tech updates and immediate alerts when there is a zero-day or security issue!

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This