Connect with us

Hi, what are you looking for?


Data Protection

Kaspersky Patches Flaws in Anti-Virus for Linux File Server

An update released earlier this month by Kaspersky Lab for its Anti-Virus for Linux File Server product addresses several potentially serious vulnerabilities discovered by researchers at Core Security.

An update released earlier this month by Kaspersky Lab for its Anti-Virus for Linux File Server product addresses several potentially serious vulnerabilities discovered by researchers at Core Security.

Kaspersky Anti-Virus for Linux File Server is designed to protect workstations and file servers on large corporate networks. Core Security employees determined that the product’s web-based management interface is affected by vulnerabilities that can be exploited for arbitrary code execution and other malicious activities.

One of the security holes is caused by the lack of anti-CSRF tokens in the web interface, which allows a remote attacker to execute shell commands by tricking an authenticated user into accessing a specially crafted webpage.

Researchers also found vulnerabilities that can be exploited to escalate privileges to root, execute arbitrary code via a reflected cross-site scripting (XSS) flaw, and read arbitrary files due to a path traversal bug. Core Security has made available proof-of-concept (PoC) code for each of the vulnerabilities.

The vulnerabilities affect version 8 of Kaspersky Anti-Virus for Linux File Server and they are tracked as CVE-2017-9813, CVE-2017-9810, CVE-2017-9811 and CVE-2017-9812. The flaws were reported to Kaspersky in April and patches were released on June 14. Core Security has confirmed that the update released by the vendor fixes all the security holes.

“Kaspersky Lab would like to thank researchers from Core Security Technologies for pointing out vulnerabilities in Web Console of Kaspersky Anti-Virus for Linux File Server 8, which allowed, under specific conditions, unauthorized access to some product functionality,” Kaspersky Lab told SecurityWeek in an emailed statement. “These vulnerabilities are now fixed. Kaspersky Lab recommends to all customers, using Web Console, to upgrade the Kaspersky Anti-Virus for Linux File Server 8 to new CF4 version.”

Kaspersky has been running a HackerOne-powered bug bounty program that covers its Password Manager 8, Internet Security 2017 and Endpoint Security 10 products. The security firm is offering between $300 and $5,000 for each vulnerability.

Advertisement. Scroll to continue reading.

Related: Kaspersky Patches Vulnerabilities in Consumer Products

Related: Google Researcher Finds Certificate Flaws in Kaspersky Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.