Kaspersky Security Bug Caused Some ErrorsTime: Dec. 19, 2019
A security issue discovered in Kaspersky Secure Connection and found in several other Kaspersky security products allows a malicious actor to receive signed code execution, persistence and even forgery in case of more complex attacks.
The vulnerability described in CVE-2019-15689 allows hackers to execute an unsigned executable from a signed version that starts as NT AUTHORITY / SYSTEM and technically opens the door to new malicious activities on the compromised device.
SafeBreach declares that Kaspersky Secure Connection, which is included in Kaspersky Antivirus, Kaspersky Internet Security, Kaspersky Total Security and other packages, uses a service executed with SYSTEM privileges and whose executable is signed by "AO Kaspersly Lab".
If the attacker finds a way to execute code in this process, it can be used to skip the white list of applications, which security products can skip.
And since the service runs at startup, a potential attacker can persist even during startup to execute a malicious load.
Extensive analysis has shown that the Kaspersky service is trying to load a series of DLL files, some of which are missing. Since the security software does not use signature verification, it was easy to hide an unsigned executable as signed. In addition, the Kaspersky service does not use secure DLL loading, that is, it uses only the name of the DLL file and not an absolute path.
SafeBreach, which has also discovered security holes in other security products, explains that the attacker must have administrator rights on the target device.
The error was reported to Kaspersky in July 2019 and the security company launched CVE-2019-15689 on November 21.
Antivirus software will inevitably have some bugs, and Kaspersky is no exception. Nevertheless, Kaspersky is still an excellent and well-reviewed antivirus software, such as Kaspersky Total Security, which is available on bzfuture.