==================================================================== CERT-Renater Note d'Information No. 2019/VULN377 _____________________________________________________________________ DATE : 04/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud, Kaspersky Password Manager, Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Protection extension for Google Chrome. ===================================================================== https://support.kaspersky.com/general/vulnerability.aspx?el=12430#021219 https://support.kaspersky.com/general/vulnerability.aspx?el=12430#251119_2 https://support.kaspersky.com/general/vulnerability.aspx?el=12430#251119_1 _____________________________________________________________________ Advisory issued on 2nd December, 2019 Description Kaspersky has fixed a security issue CVE-2019-15689 found in Kaspersky Secure Connection 4.0 (2020). One of the product executable files was susceptible to a DLL hijacking attack that could potentially allow third-parties to locally execute arbitrary code in its process context. The severity of the issue was assessed as low, because an attacker must have administrator privileges to drop malicious DLL file into the product's folder. No privilege escalation. Issue category: DLL hijacking. Issue type: Arbitrary Code Execution. We also have fixed three bugs in one of anti-virus (AV) engine components that is responsible for work with ZIP archives. The fix for this component corrects its behaviour in situation of antivirus scanning specially crafted ZIP archives. These malformed archives could be used to circumvent our antivirus scan process. The bugs affected Kaspersky products with antivirus databases. List of affected products The issue affected Secure Connection product and consumer products in those it is incorporated: Kaspersky Secure Connection prior to version 4.0 (2020) patch E. Kaspersky Internet Security prior to version 2020 patch E. Kaspersky Total Security prior to version 2020 patch E. Kaspersky Security Cloud prior to version 2020 patch E. Fixed versions Kaspersky Secure Connection 4.0 (2020) patch E. Kaspersky Internet Security 2020 patch E. Kaspersky Total Security 2020 patch E. Kaspersky Security Cloud 2020 patch E. We recommend users to install these updates. Our products have automatic updating procedure to make process of receiving updates easier. To apply these updates, the product restart is required. Also to eliminate mentioned bugs in antivirus engine it is necessary to update antivirus bases to the latest version, which is performed automatically during auto-updating procedure. Acknowledgements We would like to thank the following researchers who discovered the issues and responsibly reported them: Peleg Hadar from SafeBreach for reporting DLL hijacking in Secure Connection. Thierry Zoller for reporting bugs in antivirus engine. _____________________________________________________________________ Advisory issued on 25th November, 2019 Description Kaspersky Lab has fixed a security issue found by Wladimir Palant in Kaspersky Password Manager that could potentially lead remote unauthorized access by 3rd parties to information about address items which are stored in the vault while it is in unlocked state. No other data in the vault could be compromised. Issue category: Data Leakage. Issue type: Information Disclosure. To exploit this issue an attacker would need to lure a user for visiting a specially crafted web page. List of affected products Kaspersky Password Manager for Windows 9.1. Fixed versions Kaspersky Password Manager for Windows 9.2. We recommend our users to migrate to new version of the product. Acknowledgements We would like to thank researcher Wladimir Palant who discovered the issue and reported it to us. _____________________________________________________________________ Advisory issued on 25th November, 2019 Description Kaspersky has fixed the following security problems in Anti-Virus products family for Windows: [1] Kaspersky Protection extension for web browser Google Chrome was vulnerable to unauthorized access to its features remotely that could lead to removing other installed extensions. Severity of this issue was assessed as medium, because user should confirm deletion of the extension on Chrome's warning menu. Issue category: Unauthorized Command Execution. Issue type: Bypass. [CVE-2019-15684] [2] The web protection component due to a bug in its implementation potentially allowed an attacker remotely disable such product's security features as private browsing and anti-banner. Issue category: Unauthorized Command Execution. Issue type: Bypass. [CVE-2019-15685] [3] The web protection component due to a bug in its implementation potentially allowed an attacker remotely disable various anti-virus protection features. Severity of this issue was assessed as high, because an attacker can terminate product service process. Issue category: Unauthorized Command Execution. Issue type: DoS, Bypass. [CVE-2019-15686] [4] The web protection component was vulnerable to remote disclosure of some information about user's system to 3rd parties (e.g. Windows version and version of the product, unique ID). Issue category: Data Leakage. Issue type: Information Disclosure. [CVE-2019-15687] [5] The web protection component did not adequately inform the user about the threat of redirecting to an untrusted site. Issue category: Security Bypass. Issue type: Bypass. [CVE-2019-15688] The web protection component was additionally improved to prevent 3rd parties from calculating unique product ID remotely (privacy hardening) [6]. To exploit all mentioned above issues an attacker would need to lure a user for visiting a specially crafted web page. List of affected products Kaspersky Anti-Virus up to 2020 Kaspersky Internet Security up to 2020 Kaspersky Total Security up to 2020 Kaspersky Free Anti-Virus up to 2020 Kaspersky Small Office Security up to 7 Kaspersky Security Cloud up to 2020 Kaspersky Protection extension for Google Chrome prior to 30.112.62.0 Fixed versions Kaspersky Anti-Virus 2019 Patch I, Patch J Kaspersky Internet Security 2019 Patch I, Patch J Kaspersky Total Security 2019 Patch I, Patch J Kaspersky Free Anti-Virus 2019 Patch I, Patch J Kaspersky Small Office Security 6 Patch I, Patch J Kaspersky Security Cloud 2019 Patch I, Patch J Kaspersky Protection extension for Google Chrome 20.0.543.1418 as a part of 2019 Patch I Kaspersky Anti-Virus 2020 Patch E, Patch F Kaspersky Internet Security 2020 Patch E, Patch F Kaspersky Total Security 2020 Patch E, Patch F Kaspersky Free Anti-Virus 2020 Patch E, Patch F Kaspersky Small Office Security 7 Patch E, Patch F Kaspersky Security Cloud 2020 Patch E, Patch F Kaspersky Protection extension for Google Chrome 30.112.62.0 as a part of 2020 Patch E We recommend users to check product version and install updates. Our products have automatic updating procedure to make process of receiving updates easier and most of the users have been updated. To apply these updates a reboot may be required. Acknowledgements We would like to thank the following researchers who discovered the issues and responsibly reported them: Wladimir Palant ([1],[2],[3],[4],[5],[6]) Mohamed Ouad ([1]) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================