An update released earlier this month by Kaspersky Lab for its Anti-Virus for Linux File Server product addresses several potentially serious vulnerabilities discovered by researchers at Core Security.
Kaspersky Anti-Virus for Linux File Server is designed to protect workstations and file servers on large corporate networks. Core Security employees determined that the product’s web-based management interface is affected by vulnerabilities that can be exploited for arbitrary code execution and other malicious activities.
One of the security holes is caused by the lack of anti-CSRF tokens in the web interface, which allows a remote attacker to execute shell commands by tricking an authenticated user into accessing a specially crafted webpage.
Researchers also found vulnerabilities that can be exploited to escalate privileges to root, execute arbitrary code via a reflected cross-site scripting (XSS) flaw, and read arbitrary files due to a path traversal bug. Core Security has made available proof-of-concept (PoC) code for each of the vulnerabilities.
The vulnerabilities affect version 8 of Kaspersky Anti-Virus for Linux File Server and they are tracked as CVE-2017-9813, CVE-2017-9810, CVE-2017-9811 and CVE-2017-9812. The flaws were reported to Kaspersky in April and patches were released on June 14. Core Security has confirmed that the update released by the vendor fixes all the security holes.
“Kaspersky Lab would like to thank researchers from Core Security Technologies for pointing out vulnerabilities in Web Console of Kaspersky Anti-Virus for Linux File Server 8, which allowed, under specific conditions, unauthorized access to some product functionality,” Kaspersky Lab told SecurityWeek in an emailed statement. “These vulnerabilities are now fixed. Kaspersky Lab recommends to all customers, using Web Console, to upgrade the Kaspersky Anti-Virus for Linux File Server 8 to new CF4 version.”
Kaspersky has been running a HackerOne-powered bug bounty program that covers its Password Manager 8, Internet Security 2017 and Endpoint Security 10 products. The security firm is offering between $300 and $5,000 for each vulnerability.
Related: Kaspersky Patches Vulnerabilities in Consumer Products
Related: Google Researcher Finds Certificate Flaws in Kaspersky Products