Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Vulnerabilities Disclosed in Kaspersky, Trend Micro Products

Vulnerabilities discovered in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application could be exploited for DLL preloading, code execution, and privilege escalation, a security firm has warned.

Vulnerabilities discovered in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application could be exploited for DLL preloading, code execution, and privilege escalation, a security firm has warned.

According to SafeBreach, Kaspersky Secure Connection (KSDE), a VPN client used with various Kaspersky applications, including Security Cloud, Internet Security, Anti-Virus, Total Security, and Kaspersky Free, is impacted by CVE-2019-15689, a vulnerability that could allow an attacker to implant and run an arbitrary unsigned executable. 

The issue is similar to vulnerabilities that SafeBreach has disclosed over the past several weeks in anti-malware applications from McAfee, Symantec, Avast and Avira, where privileged processes attempt to load libraries that are not present at the expected location.

Specifically, KSDE, a signed service that starts automatically at system boot up and which runs as SYSTEM, attempts to load multiple missing DLLs. An attacker able to load an arbitrary DLL could have it run with SYSTEM privileges within the context of ksde.exe.

The root cause of the vulnerability, SafeBreach notes, is that the process does not perform a signature verification against the loaded DLL, and that it attempts to load the library using only the filename and not an absolute path. 

Successful exploitation of the flaw could result in an attacker executing malicious code within the signed Kaspersky process, which enables them to avoid detection.

The Autodesk Desktop Application also attempts to load a missing DLL file, from different directories within the PATH environment variable. An attacker could abuse this to have their own malicious library loaded by the signed process.

The root cause of this vulnerability is the lack of safe DLL loading, complemented by the lack of digital certificate validation. The security flaw is tracked as CVE-2019-7365. 

Advertisement. Scroll to continue reading.

Analysis of Trend Micro Maximum Security, SafeBreach says, has revealed that, although the software runs as SYSTEM, some of its parts run as non-PPL processes, thus allowing an attacker to load unsigned code, due to the fact that the CIG (Code Integrity Guard) mechanism is not enforced. 

The security researchers discovered that the issue (tracked as CVE-2019-15628) made privilege escalation simple, “allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITYSYSTEM.” This could lead to defense evasion, self-defense bypass, persistence, and privilege escalation through the loading of an arbitrary DLL. 

SafeBreach reported these vulnerabilities to the respective vendors in July of this year. All three have acknowledged the bugs and issued CVE numbers for them. 

Related: DLL Hijacking Flaw Impacts Symantec Endpoint Protection

Related: Vulnerability in McAfee Antivirus Products Allows DLL Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.