Description

Kaspersky team has fixed three security issues in the installers of Kaspersky products for home, the Kavremover tool, and Kaspersky Endpoint Security.

• Two reported issues relate to two executables from the products’ installers that could be utilized separately from the product. This security issue allowed an attacker to legitimately run a third-party executable in the context of the installation process. We access the severity of these issues as Low.
• The third issue allowed an attacker to unnoticeably run an adversarial executable instead of running the uninstaller intended to remove the third-party security products when installing Kaspersky solutions. To exploit this issue, the attacker needed administrator rights and had to create registry keys pointing to the file they wanted to execute. We access the severity of this issue as Low.

Recommendations

We recommend our customers to use the latest versions of the installers from our website. The users of already installed products are not affected by these issues. Also, we recommend the users who can’t use the latest versions of the installers to follow these instructions.

Acknowledgements

We would like to thank Nasreddine Bencherchali who discovered the issues and responsibly reported them to Kaspersky.

Description

Kaspersky has fixed the security issue (CVE-2022-27535) in Kaspersky Secure Connection. An authenticated attacker could trigger arbitrary file deletion in the system. Before doing this, an attacker had to create a specific file link and convince the user to run "Delete All Service Data And Reports" feature.

List of affected products

• Kaspersky VPN Secure Connection prior to 21.6

Fixed versions

• Kaspersky VPN Secure Connection 21.6

We recommend our users to check their current application version and install the latest version. 

Acknowledgements

We would like to thank researcher Zeeshan Shaikh from Synopsys who discovered this issue and responsibly reported it.

Description

Kaspersky has fixed a security issue CVE-2021-27223 in one of its modules, which was incorporated in Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security. An authenticated attacker with user rights could cause Windows crash by running a specially crafted application.

List of affected products

• Kaspersky Anti-Virus
• Kaspersky Internet Security
• Kaspersky Total Security
• Kaspersky Small Office Security
• Kaspersky Security Cloud
• Kaspersky Endpoint Security

Fixed Versions

The products mentioned above with antivirus databases released in June 2021 and later.

The fix was delivered to users automatically. To make sure that the fix is installed, a user can check that the antivirus databases are up to date. Our applications support automatic updating procedure to make the process of receiving updates easier.

Acknowledgments

We would like to thank the following researchers who discovered this issue and responsibly reported it: Straghkov Denis, Kurmangaleev Shamil, Fedotov Andrey, Kuts Daniil, Mishechkin Maxim, Akolzin Vitaliy of Institute for System Programming of the Russian Academy of Sciences (ISPRAS). The security issue was discovered using the dynamic analysis tool Crusher (made by ispras.ru).

Description

Kaspersky has fixed a security issue CVE-2022-27534 that was located in a data parsing module and potentially allowed an attacker with ordinary user privileges to execute arbitrary code. Issue type: Arbitrary Code Execution.

List of affected products

• Kaspersky Anti-Virus with antivirus databases released before 12.03.2022
• Kaspersky Internet Security with antivirus databases released before 12.03.2022
• Kaspersky Total Security with antivirus databases released before 12.03.2022
• Kaspersky Small Office Security with antivirus databases released before 12.03.2022
• Kaspersky Security Cloud with antivirus databases released before 12.03.2022
• Kaspersky Endpoint Security with antivirus databases released before 12.03.2022

Fixed versions

• Kaspersky Anti-Virus with antivirus databases released after 12.03.2022
• Kaspersky Internet Security with antivirus databases released after 12.03.2022
• Kaspersky Total Security with antivirus databases released after 12.03.2022
• Kaspersky Small Office Security with antivirus databases released after 12.03.2022
• Kaspersky Security Cloud with antivirus databases released after 12.03.2022
• Kaspersky Endpoint Security with antivirus databases released after 12.03.2022

The fix was delivered to users automatically. To make sure that the fix is installed, a user can check that the antivirus databases are up to date. Our applications support automatic updating procedure to make the process of receiving updates easier.

Acknowledgments

We would like to thank researcher Georgy Zaytsev of Positive Technologies who discovered the issue and responsibly reported it.

Description

Kaspersky has fixed the following security problems in consumer products for Windows:

• [1] The installer of Kaspersky VPN Secure Connection was vulnerable to arbitrary file deletion. It could allow an attacker to delete any file during the installation procedure.
• [2] The installers of Kaspersky Anti-Virus products family were vulnerable to loading of a specially crafted XML file during the installation procedure.
• [3] A component in Kaspersky Password Manager could allow an attacker to elevate a process Integrity level from Medium to High (CVE-2021-35052).
• [4] An attacker could disable the Safe Money component of the company’s AV products by abusing Windows symbolic links (CVE-2022-27533).

List of affected products

• Kaspersky VPN Secure Connection prior to 21.3 [1]
• Kaspersky Anti-Virus prior to 21.3 [2]
• Kaspersky Internet Security prior to 21.3 [1, 2]
• Kaspersky Total Security prior to 21.3 [1, 2]
• Kaspersky Small Office Security prior to 21.3 [2]
• Kaspersky Security Cloud prior to 21.3 [1, 2]
• Kaspersky Password Manager prior to 9.0.2 Patch R [3]
• All versions of Kaspersky AV products for home (Kaspersky Security Cloud, Kaspersky Internet Security, Kaspersky Total Security) are affected by the issue [4]

Fixed versions

• Kaspersky VPN Secure Connection 21.3 [1]
• Kaspersky Anti-Virus 21.3 [2]
• Kaspersky Internet Security 21.3 [1, 2]
• Kaspersky Total Security 21.3 [1, 2]
• Kaspersky Small Office Security 21.3 [2]
• Kaspersky Security Cloud 21.3 [1, 2]
• Kaspersky Password Manager 9.0.2 Patch R [3]
• All versions of Kaspersky AV products for home (Kaspersky Security Cloud, Kaspersky Internet Security, Kaspersky Total Security) with antivirus databases released in November 2021 and later [4]

We recommend our users to check the application version and install the latest updates. Our home products support automatic updating procedure to make the process of receiving updates easier.

Acknowledgements

We would like to thank the following researchers who discovered the issues and responsibly reported them:

• Mohammed Shameem Shahnawaz who discovered issues 1, 2 and reported them to us.
• Abdelhamid Naceri working with Trend Micro Zero Day Initiative who discovered issues 3, 4 and reported them to us.

Phishing emails seemingly coming from a Kaspersky email address

Kaspersky security experts have recently seen a huge uptick in spearphishing emails designed to steal Office 365 credentials. These phishing attempts rely on a phishing kit we named “Iamtheboss” used in conjunction with another phishing kit known as “MIRCBOOT”. The activity may be associated with multiple cybercriminals. The phishing e-mails are usually arriving in the form of “Fax notifications” and lure users to fake websites collecting credentials for Microsoft online services. These emails have various sender addresses, including but not limited to noreply@sm.kaspersky.com. They are sent from multiple websites including Amazon Web Services infrastructure.

The example of the email is below:

We encourage users to execute caution and be vigilant even if the email seems to come from a familiar brand or email address. The detailed how-to on checking email headers to ensure senders’ identity is posted on the Kaspersky blog.

During the investigation of this phishing activity, Kaspersky experts determined that some e-mails were sent using Amazon’s Simple Email Service (SES) and legitimate SES token. This access token was issued to a third party contractor during the testing of the website 2050.earth. The site is also hosted in Amazon infrastructure. Upon discovery of these phishing attacks, the SES token was immediately revoked. No server compromise, unauthorized database access or any other malicious activity was found at 2050.earth and associated services.

Description

• Possible system denial of service in case of arbitrary changing Firefox browser parameters. An attacker could change specific Firefox browser parameters file in a certain way and then reboot the system to make the system unbootable (CVE-2021-35053).

List of affected applications

• Kaspersky Anti-Virus prior to 21.3.10.391(g)
• Kaspersky Internet Security prior to 21.3.10.391(g)
• Kaspersky Total Security prior to 21.3.10.391(g)
• Kaspersky Small Office Security prior to 21.3.10.391(g)
• Kaspersky Security Cloud prior to 21.3.10.391(g)
• Kaspersky Endpoint Security versions from 11.1 to 11.6 (inclusively)

Fixed versions

• Kaspersky Anti-Virus 21.3.10.391(g)
• Kaspersky Internet Security 21.3.10.391(g)
• Kaspersky Total Security 21.3.10.391(g)
• Kaspersky Small Office Security 21.3.10.391(g)
• Kaspersky Security Cloud 21.3.10.391(g)
• Kaspersky Endpoint Security 11.7

We recommend our users to check the application version and install the latest updates. Our applications for home support automatic updating procedure to make the process of receiving updates easier.

For Kaspersky Endpoint Security users who are unable to update the product, we can recommend following to mitigate this issue:

Use Mozilla certificate store instead of Windows certificate store (default value) for scanning secure connections in Mozilla Firefox. To do this, enable the usage of Mozilla certificate store in local interface of the application and add Kaspersky certificate in Mozilla certificate store. Please contact Kaspersky technical support for the instruction on how to centrally change application settings for all computers of the company.

Acknowledgements

We would like to thank researcher Abdelhamid Naceri working with Trend Micro Zero Day Initiative who discovered the issue and responsibly reported it.

Description

Kaspersky has fixed a security issue in Kaspersky Password Manager product for several platforms (CVE-2020-27020). Password generator was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation).

All public versions of Kaspersky Password Manager liable to this issue now have a new logic of password generation and a passwords update alert for cases when a generated password is probably not strong enough.

List of affected applications

• Kaspersky Password Manager for Windows prior to 9.0.2 Patch F
• Kaspersky Password Manager for Android prior to 9.2.14.872
• Kaspersky Password Manager for iOS prior to 9.2.14.31

Fixed versions

• Kaspersky Password Manager for Windows 9.0.2 Patch F
• Kaspersky Password Manager for Android 9.2.14.872
• Kaspersky Password Manager for iOS 9.2.14.31

We recommend our users to check the application version and install the latest updates. To make the process of receiving updates easier, our home products support automatic updates.

Acknowledgements

We would like to thank researcher jibee who discovered the issue and responsibly reported it to us.

Description

Kaspersky has fixed the following security problems:

We recommend our users to check the application version and install the latest updates. Our home products support automatic updating procedure to make the process of receiving updates easier. To apply these updates a computer reboot may be required. To update a solution for business, please contact our technical support to clarify the details.

Acknowledgements

We would like to thank the following researchers who discovered the issues and responsibly reported them:

• Kim Dong-Hyeon (abbadeed) who discovered issues 1, 2 and reported them to us.
• Abdelhamid Naceri (halove23) who discovered issues 3, 4 and reported them to us.
• Csaba Fitzl (theevilbit) who discovered issue 5 and reported it to us.

Description

Kaspersky has fixed the following security issues in consumer and corporate products for Windows that were publicly disclosed earlier.

• [1] The web protection component was vulnerable to arbitrary file corruption due to insufficient check of file paths on reparse points. Using this flaw, an authenticated attacker could abuse our component to corrupt arbitrary files in the system without any interaction with the user. Issue type: LPE.
• [2] The Safe Money component that provides secure online operations was vulnerable to arbitrary code execution with high privileges. To exploit this issue an authenticated attacker needed to interact with the user. Issue type: LPE.

List of affected products

• Kaspersky Anti-Virus version 21.2 and earlier [1]
• Kaspersky Internet Security version 21.2 and earlier [1, 2]
• Kaspersky Total Security version 21.2 and earlier [1, 2]
• Kaspersky Security Cloud version 21.2 and earlier [1, 2]
• Kaspersky Small Office Security version 21.2 and earlier [1, 2]
• Kaspersky Endpoint Security for Windows 11.5.0 and earlier [1]

Fixed versions

• Kaspersky Anti-Virus version 21.3 [1]
• Kaspersky Internet Security version 21.3 [1, 2]
• Kaspersky Total Security version 21.3 [1, 2]
• Kaspersky Security Cloud version 21.3 [1, 2]
• Kaspersky Small Office Security version 21.3 [1, 2]
• Kaspersky Endpoint Security for Windows version 11.6.0 [1]

We recommend our users to check the application version and install the latest updates. Our home products support automatic updating procedure to make the process of receiving updates easier. To apply these updates a computer reboot may be required. To update a solution for business, please contact our technical support to clarify the details.

Our anti-malware detection rules for the products were updated and delivered to users once we got information about the issues. This allowed us to block attempts of exploiting the vulnerability before the updates became available (PDM:Exploit.Win32.Generic.nblk).

Description

Kaspersky has fixed a security issue in consumer and corporate products that was publicly disclosed earlier (CVE-2020-26200). A component of our boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and was trusted by the Authentication Agent of Full Disk Encryption in Kaspersky Endpoint Security (KES). This issue allowed to bypass the UEFI Secure Boot security feature. An attacker would need physical access to the computer to exploit it. Otherwise, local administrator privileges would be required to modify the boot loader component.

List of affected products

• Kaspersky Rescue Disk prior to 18.0.11.3 (patch C)
• Kaspersky Endpoint Security 10 SP2 MR2 with the Full Disk Encryption component installed
• Kaspersky Endpoint Security 10 SP2 MR3 with the Full Disk Encryption component installed
• Kaspersky Endpoint Security 11.0.0 with the Full Disk Encryption component installed
• Kaspersky Endpoint Security 11.0.1 with the Full Disk Encryption component installed
• Kaspersky Endpoint Security 11.1.0 with the Full Disk Encryption component installed

Fixed versions

• Kaspersky Rescue Disk 18.0.11.3 (patch C)
• Kaspersky Endpoint Security 10 SP2 MR4
• Kaspersky Endpoint Security 11.0 Security Fix 1
• Kaspersky Endpoint Security 11.1.1 and later

We recommend our users to check the application version and install the latest updates if not installed. After installing a new version of our product, we recommend to install a Microsoft security update 4535680. A computer reboot may be required for applying updates.

To update a solution for business, please contact our technical support using Company Account.

Description

Kaspersky has fixed the following security problems in products for Windows:

• Issue 1: Due to unsafe DLL search path, the installer of Kaspersky Anti-Ransomware Tool (KART) was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges in the system. Issue type: LPE.
• Issue 2: One of AV engine's components was vulnerable to a path traversal attack thus allowing an attacker to create files in privileged file locations. Issue type: LPE.
• Issue 3: In minor scenarios, Kaspersky Password Manager could run a browser with High integrity level. Issue type: LPE.
• Issue 4: Unused Data Cleaner component in Kaspersky Total Security has been improved against attacks based on the abuse of symbolic links. Issue type: LPE.
• Issue 5: File Shredder component in Kaspersky Total Security that provides secure file deletion was vulnerable to a race condition attack when checking a file path for reparse points. Using this flaw, an attacker could use this component to delete arbitrary files in the system. Issue type: LPE.

List of affected products

• Kaspersky Anti-Ransomware Tool prior to version 5.0 patch E (issue 1)
• Kaspersky Password Manager prior to version 9.2 patch L (issue 3)
• Kaspersky Total Security prior to version 2021 (issue 4)
• Kaspersky Security Cloud prior to version 2021 (issue 4)
• Kaspersky Total Security prior to version 2021 MR2 (issue 5)
• Kaspersky Security Cloud prior to version 2021 MR2 (issue 5)

Fixed versions

• Kaspersky Anti-Ransomware Tool 5.0 patch E (issue 1)
• Kaspersky Password Manager 9.2 patch L (issue 3)
• Kaspersky Total Security 2021 (issue 4)
• Kaspersky Security Cloud 2021 (issue 4)
• Kaspersky Total Security 2021 MR2 (issue 5)
• Kaspersky Security Cloud 2021 MR2 (issue 5)

To fix the issue 2, update antivirus databases to the latest version or wait for the automatic update.

We recommend our users to check the application version and install the latest updates. Our home products support automatic updating procedure to make the process of receiving updates easier. To apply these updates a computer reboot may be required. To update a solution for business, please contact our technical support to clarify the details.

Acknowledgements

We would like to thank the following researchers who discovered the issues and responsibly reported them:

• Eran Shimony of CyberArk Labs who discovered issue 1 and reported it to us.
• houjingyi who discovered issue 2 and reported it to us.
• Abdelhamid Naceri who discovered issues 3, 4, 5 and reported it to us.

Description

Kaspersky has fixed the following security problems in products for Windows:

1. The installer of Kaspersky VPN Secure Connection was vulnerable to arbitrary file deletion that could allow an attacker to delete any file in the system (CVE-2020-25043). Issue type: DoS.
2. Kaspersky Virus Removal Tool (KVRT) was vulnerable to arbitrary file corruption that could provide an attacker with the opportunity to eliminate content of any file in the system (CVE-2020-25044). Issue type: DoS.
3. Due to unsafe DLL search path, the installer of Kaspersky Security Center was susceptible to a DLL hijacking attack that allowed an attacker to elevate privileges in the system (CVE-2020-25045). Issue type: LPE.
4. Due to unsafe DLL search path, the installer of Kaspersky Security Center Web Console was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges in the system (CVE-2020-25045). Issue type: LPE.
5. Due to unsafe DLL search path, the installer of Kaspersky Anti-Ransomware Tool (KART) was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges in the system (CVE-2020-28950). Issue type: LPE.

The above issues are classified as local attacks. It means that an attacker should be authenticated in the system at the time of attack. Cases 1, 3, 4, 5 can be exploited only during the installation of a product. We have not registered any attempts to exploit these vulnerabilities in the wild.

List of affected products

• Kaspersky VPN Secure Connection prior to 5.0
• Kaspersky Virus Removal Tool prior to 15.0.23.0
• Kaspersky Security Center prior to 12
• Kaspersky Security Center Web Console prior to 12 Patch A
• Kaspersky Anti-Ransomware Tool prior to KART 4.0 Patch C

Fixed versions

• Kaspersky VPN Secure Connection 5.0
• Kaspersky Virus Removal Tool 15.0.23.0
• Kaspersky Security Center 12
• Kaspersky Security Center Web Console 12 Patch A
• Kaspersky Anti-Ransomware Tool 4.0 Patch C

We recommend our users to check the application version and install the latest updates. To make the process of receiving updates easier, our home products support automatic updates. A computer reboot may be required for applying updates. To update a solution for business, please contact our technical support for details.

Acknowledgements

We would like to thank the following researchers who discovered the issues and responsibly reported them:

• Eran Shimony of CyberArk Labs who discovered issues 1, 2, 3, and 4 and reported it to us.
• Shahee Mirza of BEETLES who discovered issue 5 and reported it to us.

Description

Kaspersky has fixed a security issue in its consumer and corporate products that was publicly disclosed earlier. Fixed versions of the products were released several months ago. The vulnerability allowed abuse of products' AV scanning feature for arbitrary file deletion. The exploitation of this issue was possible in a local attack scenario and required from an attacker to be authenticated in the system to run a specially crafted application.

List of affected products

Consumer products for Windows:

• Kaspersky Anti-Virus prior to 2019
• Kaspersky Internet Security prior to 2019
• Kaspersky Total Security prior to 2019
• Kaspersky Free prior to 2019
• Kaspersky Security Cloud prior to 2019

Corporate products for Windows:

• Kaspersky Small Office Security prior to 6
• Kaspersky Endpoint Security prior to 11.1

Consumer products for macOS:

• Kaspersky Internet Security prior to 2020 Patch A

Corporate products for Linux:

• Kaspersky Endpoint Security prior to version 10 SP1 MR1

Fixed versions

Consumer products for Windows:

• Kaspersky Anti-Virus 2019 and later
• Kaspersky Internet Security 2019 and later
• Kaspersky Total Security 2019 and later
• Kaspersky Free 2019 and later
• Kaspersky Security Cloud 2019 and later

Corporate products for Windows:

• Kaspersky Small Office Security 6 and later
• Kaspersky Endpoint Security 11.1 and later

Consumer products for macOS:

• Kaspersky Internet Security 2020 Patch A and later

Corporate products for Linux:

• Kaspersky Endpoint Security 10 SP1 MR1 and later

We recommend our users to check the application version and install the latest updates. Our home products support automatic updating procedure to make the process of receiving updates easier. To apply these updates a computer reboot may be required. To update a solution for business, please contact our technical support to clarify the details.

Acknowledgements

We would like to thank company RACK911 Labs who discovered the issue and reported it to us.

Description

Kaspersky has fixed a security issue in consumer and corporate products that was publicly disclosed earlier. A component responsible for interprocess communications was vulnerable to arbitrary code execution due to weak check of incoming data in some specific cases. Depending on the product, this could allow an attacker to elevate privileges in the OS, provided that the vulnerable component works within the context of process with high privileges. At the moment of exploitation an attacker must be already authenticated in the system (local attack). In case of such products as consumer Kaspersky Anti-Virus products family and Endpoint Security, an attacker also needs to bypass product's self-defense to perform exploitation.

We have not registered any attempts to exploit this vulnerability in the wild.

List of affected products

Consumer products for Windows:

• Kaspersky Anti-Virus prior to 2019 Patch H, 2020 Patch D.
• Kaspersky Internet Security prior to 2019 Patch H, 2020 Patch D.
• Kaspersky Total Security prior to 2019 Patch H, 2020 Patch D.
• Kaspersky Free prior to 2019 Patch H, 2020 Patch D.
• Kaspersky Security Cloud prior to 2019 Patch H, 2020 Patch D.
• Kaspersky Password Manager prior to 9.2 Patch C.
• Kaspersky Safe Kids prior to 1.5 Patch C.
• Kaspersky Software Updater prior to 2.1 Patch A.

Corporate products for Windows:

• Kaspersky Endpoint Security 10 SP2 without pf3223.
• Kaspersky Endpoint Security 10 SP2 MR3 without pf3528.
• Kaspersky Endpoint Security 11.0.0 without pf5145.
• Kaspersky Endpoint Security 11.0.1 without pf5352.
• Kaspersky Endpoint Security 11.1 without pf7063.
• Kaspersky Endpoint Security 11.1.1 without pf7523.
• Kaspersky Small Office Security prior to 6 Patch H, 7 Patch D.
• Kaspersky Anti Targeted Attack Agent prior to 3.6.1.

Fixed versions

Consumer products for Windows:

• Kaspersky Anti-Virus 2019 Patch H, 2020 Patch D and later.
• Kaspersky Internet Security 2019 Patch H, 2020 Patch D and later.
• Kaspersky Total Security 2019 Patch H, 2020 Patch D and later.
• Kaspersky Free 2019 Patch H, 2020 Patch D and later.
• Kaspersky Security Cloud 2019 Patch H, 2020 Patch D and later.
• Kaspersky Password Manager 9.2 Patch C and later.
• Kaspersky Safe Kids 1.5 Patch C and later.
• Kaspersky Software Updater 2.1 Patch A and later.

Corporate products for Windows:

• Kaspersky Endpoint Security 10 SP2 with pf3223.
• Kaspersky Endpoint Security 10 SP2 MR3 with pf3528.
• Kaspersky Endpoint Security 11.0.0 with pf5145.
• Kaspersky Endpoint Security 11.0.1 with pf5352.
• Kaspersky Endpoint Security 11.1 with pf7063.
• Kaspersky Endpoint Security 11.1.1 with pf7523.
• Kaspersky Small Office Security 6 Patch H, 7 Patch D and later.
• Kaspersky Anti Targeted Attack Agent 3.6.1.

We recommend users to check product version and install updates. Our home products support automatic updating procedure to make process of receiving updates easier. To apply these updates a reboot may be required. To update a solution for business, please contact out technical support via Kaspersky CompanyAccount to receive a patch.

Our anti-malware detection rules for the products were updated and delivered to users once we got information about the issue. This allowed us to block attempts of exploiting the vulnerability before the updates became available (PDM:Exploit.Win32.Virsli.a).

Description

Kaspersky has fixed a security issue CVE-2019-15689 found in Kaspersky Secure Connection 4.0 (2020). One of the product executable files was susceptible to a DLL hijacking attack that could potentially allow third-parties to locally execute arbitrary code in its process context. The severity of the issue was assessed as low, because an attacker must have administrator privileges to drop malicious DLL file into the product's folder. No privilege escalation. Issue category: DLL hijacking. Issue type: Arbitrary Code Execution.

We also have fixed three bugs in one of anti-virus (AV) engine components that is responsible for work with ZIP archives. The fix for this component corrects its behaviour in situation of antivirus scanning specially crafted ZIP archives. These malformed archives could be used to circumvent our antivirus scan process. The bugs affected Kaspersky products with antivirus databases.

List of affected products

The issue affected Secure Connection product and consumer products in those it is incorporated:

• Kaspersky Secure Connection prior to version 4.0 (2020) patch E.
• Kaspersky Internet Security prior to version 2020 patch E.
• Kaspersky Total Security prior to version 2020 patch E.
• Kaspersky Security Cloud prior to version 2020 patch E.

Fixed versions

• Kaspersky Secure Connection 4.0 (2020) patch E.
• Kaspersky Internet Security 2020 patch E. 
• Kaspersky Total Security 2020 patch E.
• Kaspersky Security Cloud 2020 patch E.

We recommend users to install these updates. Our products have automatic updating procedure to make process of receiving updates easier. To apply these updates, the product restart is required. Also to eliminate mentioned bugs in antivirus engine it is necessary to update antivirus bases to the latest version, which is performed automatically during auto-updating procedure.

Acknowledgements

We would like to thank the following researchers who discovered the issues and responsibly reported them:

• Peleg Hadar from SafeBreach for reporting DLL hijacking in Secure Connection.
• Thierry Zoller for reporting bugs in antivirus engine.

Description

Kaspersky Lab has fixed a security issue found by Wladimir Palant in Kaspersky Password Manager that could potentially lead remote unauthorized access by 3rd parties to information about address items which are stored in the vault while it is in unlocked state. No other data in the vault could be compromised. Issue category: Data Leakage. Issue type: Information Disclosure.

To exploit this issue an attacker would need to lure a user for visiting a specially crafted web page.

List of affected products

Kaspersky Password Manager for Windows 9.1.

Fixed versions

Kaspersky Password Manager for Windows 9.2.

We recommend our users to migrate to new version of the product.

Acknowledgements

We would like to thank researcher Wladimir Palant who discovered the issue and reported it to us.

Description

Kaspersky has fixed the following security problems in Anti-Virus products family for Windows:

• [1] Kaspersky Protection extension for web browser Google Chrome was vulnerable to unauthorized access to its features remotely that could lead to removing other installed extensions. Severity of this issue was assessed as medium, because user should confirm deletion of the extension on Chrome's warning menu. Issue category: Unauthorized Command Execution. Issue type: Bypass. [CVE-2019-15684]
• [2] The web protection component due to a bug in its implementation potentially allowed an attacker remotely disable such product's security features as private browsing and anti-banner. Issue category: Unauthorized Command Execution. Issue type: Bypass. [CVE-2019-15685]
• [3] The web protection component due to a bug in its implementation potentially allowed an attacker remotely disable various anti-virus protection features. Severity of this issue was assessed as high, because an attacker can terminate product service process. Issue category: Unauthorized Command Execution. Issue type: DoS, Bypass. [CVE-2019-15686]
• [4] The web protection component was vulnerable to remote disclosure of some information about user's system to 3rd parties (e.g. Windows version and version of the product, unique ID). Issue category: Data Leakage. Issue type: Information Disclosure. [CVE-2019-15687]
• [5] The web protection component did not adequately inform the user about the threat of redirecting to an untrusted site. Issue category: Security Bypass. Issue type: Bypass. [CVE-2019-15688]

The web protection component was additionally improved to prevent 3rd parties from calculating unique product ID remotely (privacy hardening) [6].

To exploit all mentioned above issues an attacker would need to lure a user for visiting a specially crafted web page.

List of affected products

• Kaspersky Anti-Virus up to 2020
• Kaspersky Internet Security up to 2020
• Kaspersky Total Security up to 2020
• Kaspersky Free Anti-Virus up to 2020
• Kaspersky Small Office Security up to 7
• Kaspersky Security Cloud up to 2020
• Kaspersky Protection extension for Google Chrome prior to 30.112.62.0

Fixed versions

• Kaspersky Anti-Virus 2019 Patch I, Patch J
• Kaspersky Internet Security 2019 Patch I, Patch J 
• Kaspersky Total Security 2019 Patch I, Patch J
• Kaspersky Free Anti-Virus 2019 Patch I, Patch J
• Kaspersky Small Office Security 6 Patch I, Patch J
• Kaspersky Security Cloud 2019 Patch I, Patch J
• Kaspersky Protection extension for Google Chrome 20.0.543.1418 as a part of 2019 Patch I

• Kaspersky Anti-Virus 2020, 2020 Patch E, 2020 Patch F
• Kaspersky Internet Security 2020, 2020 Patch E, 2020 Patch F
• Kaspersky Total Security 2020, 2020 Patch E, 2020 Patch F
• Kaspersky Free Anti-Virus 2020, 2020 Patch E, 2020 Patch F
• Kaspersky Small Office Security 7, 7 Patch E, 7 Patch F
• Kaspersky Security Cloud 2020, 2020 Patch E, 2020 Patch F
• Kaspersky Protection extension for Google Chrome 30.112.62.0 as a part of 2020 Patch E
• Kaspersky Protection extension for Google Chrome 30.147.100.0 as a part of 2020 Patch F

We recommend users to check product version and install updates. Our products have automatic updating procedure to make process of receiving updates easier and most of the users have been updated. To apply these updates a reboot may be required.

Acknowledgements

We would like to thank the following researchers who discovered the issues and responsibly reported them:

• Wladimir Palant ([1],[2],[3],[4],[5],[6])
• Mohamed Ouad ([1])

Description

Kaspersky has fixed a security issue in the URL Advisor component for Edge web browser that was vulnerable to the XSS attack. The attack could potentially lead to user’s data disclosure. To exploit this an attacker would need to lure a user into visiting a specially crafted web page.

The web protection component was improved with additional security measures to protect users from MitM attacks, including those targeted to HSTS web resources. 

List of affected products

• Kaspersky Anti-Virus 2019 
• Kaspersky Internet Security 2019
• Kaspersky Total Security 2019
• Kaspersky Free Anti-Virus 2019
• Kaspersky Small Office Security 6
• Kaspersky Security Cloud 2019

Fixed versions

• Kaspersky Anti-Virus 2019 Patch E
• Kaspersky Internet Security 2019 Patch E
• Kaspersky Total Security 2019 Patch E
• Kaspersky Free Anti-Virus 2019 Patch E
• Kaspersky Small Office Security 6 Patch E
• Kaspersky Security Cloud 2019 Patch E

Acknowledgements

We would like to thank researcher Wladimir Palant who discovered the issue and reported it to us.

Description

Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties. This issue was classified as User Data disclosure. The attacker has to prepare and deploy a malicious script on the web servers from where he will track the user.

List of affected products

• Kaspersky Anti-Virus up to 2019
• Kaspersky Internet Security up to 2019
• Kaspersky Total Security up to 2019
• Kaspersky Free Anti-Virus up to 2019 
• Kaspersky Small Office Security up to 6
• Kaspersky Security Cloud 2019

Fixed Versions

• Kaspersky Anti-Virus 2019 Patch F
• Kaspersky Internet Security 2019 Patch F
• Kaspersky Total Security 2019 Patch F
• Kaspersky Free Anti-Virus 2019 Patch F 
• Kaspersky Small Office Security 6 Patch F
• Kaspersky Security Cloud 2019 Patch F

Updated version was automatically delivered to KAV 2019, KIS 2019, KTS 2019 users using auto update procedure June 7th 2019. Our recommendations for users or early versions of the products are to update to versions mentioned above.

Acknowledgments

We would like to thank researcher Ronald Eikenberg who discovered the issue and reported it to us.

Description

Kaspersky has fixed a security issue found in Kaspersky Endpoint Security version 11.0.1 that could potentially allow third-parties to locally execute arbitrary code with user permissions and without privilege elevation. This issue was classified as DLL hijacking bug. The security fix was made in the updated version Kaspersky Endpoint Security 11.1 available since March 13th 2019.

List of affected products

Kaspersky Endpoint Security 11.0.1.

Fixed Versions

Kaspersky Endpoint Security 11.1.
Our recommendations for Kaspersky Endpoint Security 11.0.1 users are to update to Kaspersky Endpoint Security 11.1. Most of users can use auto update procedure.

Acknowledgments

We would like to thank NSS labs who discovered the issue and reported it to us.

Description

Kaspersky Lab has fixed a security issue CVE-2019-8285 in its products that could potentially allow third-parties to remotely execute arbitrary code on a user's PC with system privileges. The security fix was deployed to Kaspersky Lab customers on 4th April, 2019 through a product update.

This issue was classified as heap-based buffer overflow vulnerability. Memory corruption during JS file scan could lead to execution of arbitrary code on a user machine.
CVSSv3 Score: 8.0
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

List of affected products

Kaspersky Lab products with antivirus databases.

Fixed Versions

Kaspersky Lab products with antivirus databases released on 4th April, 2019 and later.

Acknowledgments

We would like to thank researchers from the Imaginary team, who discovered the issue and responsibly reported it.

Description

Kaspersky Lab has fixed a vulnerability found by Wladimir Palant in Kaspersky Password Manager extensions for Google Chrome and Mozilla Firefox which allowed HTML injection using the XSS attack.

This vulnerability could lead to disclosure of some of the user's data. To exploit it an attacker would need to lure a user for visiting a specially crafted web page.

List of affected products

Kaspersky Password Manager 9 with extensions for Google Chrome and Mozilla Firefox 4.1.3.

Fixed Versions

Kaspersky Password Manager 9 with extensions for Google Chrome 4.1.6 and Mozilla Firefox 4.1.7.

We recommend for our users to migrate to new version of the product.

Acknowledgments

We would like to extend our thanks to Wladimir Palant for reporting information about vulnerability to Kaspersky Lab.

Description

Kaspersky Lab has fixed a vulnerability found by Tim Steiner and Agio Cybersecurity Consulting in Kaspersky Software Updater.

This allows an attacker with user privileges to execute a local malicious code with system privileges by making changes to the service start-up parameters.

List of affected products 

Kaspersky Software Updater version: 2.0.0.623.

Fixed Versions 

Kaspersky Software Updater version: 2.0.1.65.

We recommend for our users to migrate to new version of this product.

Acknowledgments 

We would like to extend our thanks to Tim Steiner and Agio Cybersecurity Consulting for reporting information about vulnerability to Kaspersky Lab.

Description

Kaspersky Lab has fixed a vulnerability found by the Fortinet's FortiGuard Labs in the Kaspersky Password Manager for Windows: 

• CVE-2018-6306: DLL Hijacking. DLL can be loaded into installer process.

This vulnerability makes possible unauthorized code execution from specific DLL and is known as DLL Hijacking attack. An attacker needs to drop his DLL in a directory where victim stores product installer. After user run the installer, malicious DLL will be loaded into installer process.

List of affected products 

Kaspersky Password Manager version: before 8.0.6.538.

Fixed Versions 

Kaspersky Password Manager version: 9.0.0.728.

We recommend for our users to migrate to new version of this product.

Acknowledgments 

We would like to extend our thanks to Kushal Arvind Shah of Fortinet's FortiGuard Labs for reporting this bug to Kaspersky Lab.

Description

Kaspersky Lab has fixed a vulnerabilities found in Kaspersky Secure Mail Gateway by Core Security Technologies company:

• CVE-2018-6288 Cross-site Request Forgery leading to Administrative account takeover
• CVE-2018-6289 Configuration file injection leading to Code Execution as Root
• CVE-2018-6290 Local Privilege Escalation
• CVE-2018-6291 WebConsole Cross-Site Scripting

For this vulnerabilities to be exploited, authorized product administrator has to conduct deliberate malicious actions or visit untrusted resources in the internet, while being authenticated in product interface with the same browser.

We recommend authorized product administrators, who do not update product version, not to use the same browser for management of KSMG product and for browsing internet.

List of affected products

Kaspersky Secure Mail Gateway 1.1.

Fixed Versions

Kaspersky Secure Mail Gateway 1.1 MR1

Kaspersky Lab recommends that all customers using Kaspersky Secure Mail Gateway 1.1 should upgrade to the new version Kaspersky Secure Mail Gateway 1.1 MR1.

Acknowledgments

We would like to extend our thanks to Core Security Technologies for reporting these bugs to Kaspersky Lab.

Description

Kaspersky Lab has fixed DOM-based cross-site scripting vulnerability found in the Web Console for Kaspersky Security Center 10, which allowed, under specific conditions, unauthorized access to some product functionality. To use this vulnerability, an attacker required to force a user logged-in to Web Console to open the specific link from the phishing email.

List of affected products

Kaspersky Security Center 10 Service Pack 2 or earlier.

Fixed Versions

Kaspersky Lab recommends that all customers using the Web Console, should upgrade Kaspersky Security Center to the new 10 Service Pack 2 MR1 version.

Acknowledgments

We would like to extend our thanks to Positive Technologies for reporting these bugs to Kaspersky Lab.

Description

Kaspersky Lab has fixed a vulnerability found in Kaspersky Embedded Systems Security by Embedi company. One of the KESS driver’s subroutine was vulnerable to buffer overflow that might allow an attacker to escalate permissions on a system.

List of affected products

• Kaspersky Embedded Systems Security 1.2.0.300
• Kaspersky Embedded Systems Security 2.0.0.385

Fixed Versions

Kaspersky Lab recommends that all customers using Kaspersky Embedded Systems Security 1.1 MR1 and 2.0 should install patch A.

Acknowledgments

We would like to extend our thanks to Embedi for reporting these bugs to Kaspersky Lab.

Description

Kaspersky Lab has fixed the vulnerabilities found in Kaspersky Internet Security for Android by the MRG Effitas company:

• CVE-2017-12816: Some of application exports activities have weak permissions, which might be used by malware application to get unauthorized access to the product functionality using Android IPC.
• CVE-2017-12817: Some of application trace files were not encrypted.

List of affected products

Kaspersky Internet Security for Android 11.12.4.1622.

Fixed Versions

Kaspersky Lab recommends that all customers using Kaspersky Internet Security for Android should upgrade to the new version 11.14.4.921 or higher.

Acknowledgments

We would like to extend our thanks to MRG Effitas for reporting these bugs to Kaspersky Lab.

Description

Kaspersky Lab has fixed vulnerabilities (CVE-2017-9810, CVE-2017-9811, CVE-2017-9812, CVE-2017-9813) found in the Web Console for Kaspersky Anti-Virus for Linux File Server 8, which allowed, under specific conditions, unauthorized access to some product functionality. To use these vulnerabilities, an attacker required to get in advance insights on structure of the network targeted and the user logged-in to Web Console to open the specific link from the phishing email on the targeted computer.

List of affected products

Kaspersky Anti-Virus for Linux File Server 8. Web Console is an opt-in feature, product is not vulnerable unless this feature is on.

Fixed Versions

Kaspersky Lab recommends that all customers using the Web Console, should upgrade Kaspersky Anti-Virus for Linux File Server 8 to the new CF4 version.

Acknowledgments

We would like to extend our thanks to Core Security and CoreLabs for reporting these bugs to Kaspersky Lab.

Description

Kaspersky Lab has fixed the vulnerabilities found in Kaspersky Embedded Systems Security by the Positive Technologies company:

• The Applications Launch Control component was unable to manage properly a large number of applications launching simultaneously. As a result, some applications were allowed to launch, even if these applications were to be strictly denied by the rules.
• The versions fixed provide the improved algorithm for the processing of a big quantity of applications launches and guarantee strict denial for a PowerShell script execution through placing the script body into the command line.
• No access restrictions on connection to the Kaspersky Embedded Systems Security filter driver were applied for other applications.

List of affected products

• Kaspersky Embedded Systems Security 1.1.
• Kaspersky Embedded Systems Security 1.1 MR1.

Fixed Versions

The vulnerability was fixed in Critical Fix KB13520.

To eliminate the vulnerability from Kaspersky Embedded Systems Security 1.1 upgrade the Kaspersky Embedded Systems Security to version 1.1 MR1 and apply Critical Fix KB13520: for x86, x64.

To eliminate the vulnerability from Kaspersky Embedded Systems Security 1.1 MR 1 apply Critical Fix KB13520: for x86, x64.

Acknowledgments

Description

Kaspersky Lab has fixed a vulnerability found by Cybellum Technologies which made a DLL Hijacking attack possible, via an undocumented feature of Microsoft Application Verifier. This allows the attacker to inject code into most OS processes, not just security solutions. It should be mentioned that this attack can only be performed thorough a local vector, when the attacker has already penetrated the device. The attacker has to infect the attacked computer with malicious software in advance, and escalate its privilege on the device in order to register a new Application Verifier Provider DLL – both actions require an attacker to use a range of other tools.

Fixed Versions

The detection and blocking of this malicious scenario has been added to all Kaspersky Lab products from 22 March. In order to stay protected, Kaspersky Lab recommends all customers keep their security solutions up to date and do not disable behavior-based detection features.

Kaspersky Lab will also incorporate additional protection measures into the next updates to its flagship security products. These will block the attack attempts described at different levels. The security solutions to be updated accordingly are:

• Kaspersky Anti-Virus 2018
• Kaspersky Internet Security 2018
• Kaspersky Total Security 2018
• Kaspersky Small Office Security 2018

Acknowledgments

Description

Kaspersky Lab has fixed a number of vulnerabilities found by Mr. Tavis Ormandy:

• Specific scenarios existed when unprivileged user might read file with a private key created by product for managing SSL connection. This could be used by attacker/malware with access to a host in order to obtain this file to perform targeted attacks on SSL connections initiated by browser application on the host.
  
• If user navigated to a web site with invalid SSL certificate and decided to trust it by selecting Continue on the product's warning in order to access the site, product added the certificate to trusted root incorrectly. That might be used by attacker to skip invalid certificate warning if user access sites that were listed in Subject Alternative Names of the original invalid SSL certificate.
  
• SSL certificate caching error existed that might be used by attacker with a control of network in order to perform targeted attack on a host to intercept SSL connections initiated by browser application specifically by using IP address instead of a domain name.
  

List of affected products

Kaspersky Anti-Virus 2016, 2017

Kaspersky Internet Security 2016, 2017

Kaspersky Total Security 2016, 2017

Kaspersky Small Office Security 4, 5

Kaspersky Fraud Prevention for Endpoints 6.0

Kaspersky Safe Kids for Windows 1.1

Kaspersky Endpoint Security for Mac

Fixed Versions

Kaspersky Anti-Virus 2016, 2017

Kaspersky Internet Security 2016, 2017

Kaspersky Total Security 2016, 2017

Kaspersky Small Office Security 4, 5

Kaspersky Fraud Prevention for Endpoints 6.0

Kaspersky Endpoint Security for Mac

The fixes are included in the autoupdated patches that were released by December, 28. To apply the fixes, please update your products.

Fix for Kaspersky Endpoint Security for Mac 10 included into new version SP1. To apply the fixes, please update to new product version.

Acknowledgments

Description

Kaspersky Lab has updated kaspersky.com website to mitigate potential XSS vulnerability.

Acknowledgments

Description

Kaspersky Lab has fixed a bug TALOS-CAN-0175 (CVE-2016-4329) reported by Cisco Talos in Kaspersky Anti-Virus products. This bug could have been exploited only if host already contained malicious program that might send certain unhandled window messages that might cause termination of GUI process of AV. GUI process restarts automatically after termination. This bug has no impact on AV functionality since it's being handled in separate service process. 

List of affected products

Kaspersky Internet Security 2016 (16.0.0.614) 

Kaspersky Anti-Virus 2016 (16.0.0.614) 

Kaspersky Total Security 2016 (16.0.0.614)

Fixed Versions

Kaspersky Internet Security 2017 (17.0.0.611) 

Kaspersky Anti-Virus 2017 (17.0.0.611) 

Kaspersky Total Security 2017 (17.0.0.611) 

User should migrate to newer version of respective products via product update procedure.

Acknowledgments

Description

Kaspersky Lab has fixed a number of vulnerabilities found by Cisco TALOS. All these vulnerabilities could have been exploited only if machine already contained malicious program 

- TALOS-CAN-0166 (CVE-2016-4304) and TALOS-CAN-0167 (CVE-2016-4305): a specially crafted call can cause an access violation in one of products drivers resulting in local denial of service. 

CVSSv3 score of this vulnerability is 5.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
- TALOS-CAN-0168 (CVE-2016-4306): a specially crafted call can cause the one of the products driver to return out of bounds kernel memory, potentially leaking sensitive information. 
CVSSv3 score of this vulnerability is 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

List of affected products

Kaspersky Internet Security 2016 (16.0.0.614) 

Kaspersky Anti-Virus 2016 (16.0.0.614) 

Kaspersky Total Security 2016 (16.0.0.614)

Fixed Versions

Kaspersky Internet Security 2017 (17.0.0.611) 

Kaspersky Anti-Virus 2017 (17.0.0.611) 

Kaspersky Total Security 2017 (17.0.0.611) 

User should migrate to newer version of respective products via product update procedure.

Acknowledgments

Description

Kaspersky Lab has fixed vulnerability TALOS-CAN-0169 (CVE-2016-4307) in Kaspersky Anti-Virus products. This vulnerability could have been exploited only if machine already contained malicious program that might used a bug in one of the products drivers to cause an access violation in it that results in local system denial of service. 

CVSSv3 score of this vulnerability is 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

List of affected products

Kaspersky Internet Security 2016 (16.0.0.614) 

Kaspersky Anti-Virus 2016 (16.0.0.614) 

Kaspersky Total Security 2016 (16.0.0.614)

Fixed Versions

Acknowledgments

Description

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

List of affected products

Mitigations

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

List of affected products

Fixed Versions

Acknowledgments

Description

Kaspersky Lab has fixed a number of bugs that were leading to the memory corruption, while parsing malformed files of the following formats: DEX, VB6, CHM, ExeCryptor, PE, "Yoda's Protector", and some other modified malicious files. The code in Kaspersky Lab’s Antivirus products had not been correctly handling malformed data that could cause integer and buffer overflows. 

List of products where this vulnerability has been found

Kaspersky Internet Security 2015 

Kaspersky Anti-Virus 2015
Kaspersky Endpoint Security 10 SP1MR1
Kaspersky Total Security 2015
Kaspersky Security for Virtualization 3.0 

Issue date for a fix or patch

The fix is included in the autoupdated modules that were released on 13 September 2015. 

Acknowledgments

We would like to thank Mr. Tavis Ormandy for his research. Kaspersky Lab has always supported the assessment of our solutions by independent experts. Their efforts help us to make our solutions stronger, more productive and more reliable.