=====================================================================

                                    CERT-Renater

                         Note d'Information No. 2021/VULN634
_____________________________________________________________________

DATE                : 30/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kaspersky VPN Secure Connection
                                  versions prior to 21.3,
                         Kaspersky Anti-Virus versions prior to 21.3,
                      Kaspersky Internet Security versions prior to 21.3,
                      Kaspersky Total Security versions prior to 21.3,
                 Kaspersky Small Office Security versions prior to 21.3,
                      Kaspersky Security Cloud versions prior to 21.3,
             Kaspersky Password Manager versions prior to 9.0.2 Patch R.

=====================================================================
https://support.kaspersky.com/general/vulnerability.aspx?el=12430#221121
_____________________________________________________________________

Advisory issued on November 22, 2021


Description

Kaspersky has fixed the following security problems in consumer products 
for Windows:

       [1] The installer of Kaspersky VPN Secure Connection was vulnerable
to arbitrary file deletion. It could allow an attacker to delete any
file during the installation procedure.

       [2] The installers of Kaspersky Anti-Virus products family were
vulnerable to loading of a specially crafted XML file during the
installation procedure.

       [3] A component in Kaspersky Password Manager could allow an
attacker to elevate a process Integrity level from Medium to High
(CVE-2021-35052).


List of affected products

       Kaspersky VPN Secure Connection prior to 21.3 [1]
       Kaspersky Anti-Virus prior to 21.3 [2]
       Kaspersky Internet Security prior to 21.3 [1, 2]
       Kaspersky Total Security prior to 21.3 [1, 2]
       Kaspersky Small Office Security prior to 21.3 [2]
       Kaspersky Security Cloud prior to 21.3 [1, 2]
       Kaspersky Password Manager prior to 9.0.2 Patch R [3]


Fixed versions

       Kaspersky VPN Secure Connection 21.3 [1]
       Kaspersky Anti-Virus 21.3 [2]
       Kaspersky Internet Security 21.3 [1, 2]
       Kaspersky Total Security 21.3 [1, 2]
       Kaspersky Small Office Security 21.3 [2]
       Kaspersky Security Cloud 21.3 [1, 2]
       Kaspersky Password Manager 9.0.2 Patch R [3]

We recommend our users to check the application version and install the
latest updates. Our home products support automatic updating procedure
to make the process of receiving updates easier.


Acknowledgements

We would like to thank the following researchers who discovered the
issues and responsibly reported them:

       Mohammed Shameem Shahnawaz who discovered issues 1, 2 and reported
them to us.

       Abdelhamid Naceri working with Trend Micro Zero Day Initiative who
discovered issue 3 and reported it to us.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================