Security Experts:

Vulnerabilities Disclosed in Kaspersky, Trend Micro Products

Vulnerabilities discovered in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application could be exploited for DLL preloading, code execution, and privilege escalation, a security firm has warned.

According to SafeBreach, Kaspersky Secure Connection (KSDE), a VPN client used with various Kaspersky applications, including Security Cloud, Internet Security, Anti-Virus, Total Security, and Kaspersky Free, is impacted by CVE-2019-15689, a vulnerability that could allow an attacker to implant and run an arbitrary unsigned executable. 

The issue is similar to vulnerabilities that SafeBreach has disclosed over the past several weeks in anti-malware applications from McAfee, Symantec, Avast and Avira, where privileged processes attempt to load libraries that are not present at the expected location.

Specifically, KSDE, a signed service that starts automatically at system boot up and which runs as SYSTEM, attempts to load multiple missing DLLs. An attacker able to load an arbitrary DLL could have it run with SYSTEM privileges within the context of ksde.exe.

The root cause of the vulnerability, SafeBreach notes, is that the process does not perform a signature verification against the loaded DLL, and that it attempts to load the library using only the filename and not an absolute path. 

Successful exploitation of the flaw could result in an attacker executing malicious code within the signed Kaspersky process, which enables them to avoid detection.

The Autodesk Desktop Application also attempts to load a missing DLL file, from different directories within the PATH environment variable. An attacker could abuse this to have their own malicious library loaded by the signed process.

The root cause of this vulnerability is the lack of safe DLL loading, complemented by the lack of digital certificate validation. The security flaw is tracked as CVE-2019-7365. 

Analysis of Trend Micro Maximum Security, SafeBreach says, has revealed that, although the software runs as SYSTEM, some of its parts run as non-PPL processes, thus allowing an attacker to load unsigned code, due to the fact that the CIG (Code Integrity Guard) mechanism is not enforced. 

The security researchers discovered that the issue (tracked as CVE-2019-15628) made privilege escalation simple, “allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.” This could lead to defense evasion, self-defense bypass, persistence, and privilege escalation through the loading of an arbitrary DLL. 

SafeBreach reported these vulnerabilities to the respective vendors in July of this year. All three have acknowledged the bugs and issued CVE numbers for them. 

Related: DLL Hijacking Flaw Impacts Symantec Endpoint Protection

Related: Vulnerability in McAfee Antivirus Products Allows DLL Hijacking

view counter