Kaspersky Lab has released updates for its consumer products to address several denial-of-service (DoS) and memory disclosure vulnerabilities identified by researchers at Cisco’s Talos group.
Cisco reported discovering a total of four issues in Kaspersky Internet Security products, specifically in the KLIF, KLDISK and KL1 drivers.
Two of the flaws, tracked as CVE-2016-4304 and CVE-2016-4305, are related to the way the KLIF driver handles NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. A malicious app can execute an API call using invalid parameters and cause a system crash.
Another local DoS flaw, identified as CVE-2016-4307, is related to how the KL1 driver handles IOCTL calls. An attacker can exploit this vulnerability to cause a memory access violation and crash the system by sending a specially crafted IOCTL call to the driver.
The last security hole found by Talos researchers is CVE-2016-4306, which can allow attackers to use specially crafted IOCTL calls to leak kernel memory content to the userland. The weakness, caused by a weak implementation of the KlDiskCtl service in the KLDISK driver, can be exploited by an attacker to obtain information that may be useful in combination with other vulnerabilities.
“Since anti-virus software runs with low level privileges on any system, vulnerabilities in these software are potentially very interesting for attackers. Although these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched,” Cisco said in a blog post.
The vulnerabilities were reported to Kaspersky in late April and while Cisco’s advisories list August 26 as the patch release date, the vendor told SecurityWeek that the issues were addressed in new product versions made available globally starting with July 29.
Kaspersky Lab has thanked Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos for reporting the vulnerabilities, but pointed out that the issues are low severity.
“All vulnerabilities are classified as low severity, as it is theoretically only possible to exploit them if the system has already been infected with malware. Since the security of our customers is our top priority, we have already provided a fix for these vulnerabilities and released updated versions for our 2016 and 2017 line of consumer solutions,” Kaspersky Lab said in a statement sent to SecurityWeek.
Kaspersky recently announced the launch of a public bug bounty program via the HackerOne platform. The security firm is prepared to offer up to $50,000 to hackers who find serious vulnerabilities in Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 SP1MR3 running on Microsoft Windows 8.1 or later.
Related Reading: Security Product Flaws Allow Attackers to Compromise Systems
Related Reading: Critical Flaws Expose Symantec Customers to Remote Attacks