The Synopsys Cybersecurity Research Center (CyRC) team has identified a local privilege escalation vulnerability in Kaspersky VPN Secure Connection for Microsoft Windows.
In the Support Tools part of the application, a regular user can use Delete service data and reports to remove a privileged folder. Based on this capability, an attacker can leverage Arbitrary Folder Delete to SYSTEM EoP to gain SYSTEM privileges, Synopsys researchers say.
According to Synopsys, the affected software includes Kaspersky VPN Secure Connection 21.3.10.391 (h), and the vulnerability has a CVSS score of 7.8. To remediate, Synopsys is urging Kaspersky users to upgrade their software to version 21.7.7.393 or later.
Jonathan Knudsen, Head of Global Research at Synopsys Cybersecurity Research Center, explains that an attacker could somehow gain "access to a victim's computer, whether through social engineering or some other technique. If the victim's computer had a vulnerable version of the Kaspersky VPN on it, the attacker could then use the vulnerability to gain administrative privileges, at which point the attacker would have full control over the victim's computer."
A fully compromised computer would allow an attacker access to websites, credentials, files, and other sensitive information that could be useful by itself or in moving laterally inside a corporate network, Knudsen explains.
"We haven't seen any exploitation of this vulnerability. Most likely, attackers will take note of it as a possible technique for elevation of privilege after access has been gained to a victim's computer," Knudsen says. "So, how does this fit in with VPN security trends as a whole? Software is software, no matter where it runs, even when it is security software like a VPN. All software has vulnerabilities; the key to releasing better, more secure software is using a holistic approach throughout the software development cycle."
Editor's note: Statement from Kaspersky:
The Kaspersky team has closed a vulnerability in the Kaspersky VPN Secure Connection that allowed an authenticated attacker to trigger arbitrary file deletion in the system. It could lead to device malfunction or the removal of important system files required for correct system operation. To execute this attack, an intruder had to create a specific file and convince users to run "Delete all service data and reports" or "Save report on your computer" product features.
To fix the vulnerability, the Kaspersky team recommends users check the app version they are running and install the latest one.
We would like to thank security researcher Ben Ronallo, who discovered the issue and responsibly reported it to Kaspersky.
The affected versions of Kaspersky VPN:
- Kaspersky VPN Secure Connection prior to 21.6
For more information, visit synopsys.com.