Denial-of-service (DoS) and kernel vulnerabilities affecting the functionality of Kaspersky's KLIF, KLDISK, and KL1 drivers discovered by a pair of researchers at Cisco Talos were patched by Kaspersky Lab.
Two of the flaws affect Kaspersky's KLIF driver (CVE-2016-4304, CVE-2016-4305) and allow a malicious application to execute a malicious API call using invalid parameters. The vulnerabilities affect intercepted NtUserCreateWindowEx and NtAdjustTokenPrivileges functions. The flaws “can cause an attempt to access inaccessible memory by the driver resulting in a system crash,” wrote Cisco Talos Senior Research Engineer Marcin "Icewall" Noga and Vulnerability Researcher Piotr Bania in a corporate blog post Friday.
An information leak vulnerability (CVE-2016-4306) affecting IOCTL handlers of Kaspersky's KLDISK driver could be exploited by an attacker by sending specially crafted requests to the driver, which could cause the driver to leak privileged tokens or kernel memory addresses.
A local DoS flaw (CVE-2016-4307) allows an attacker to send a specially crafted IOCTL call to Kaspersky's KL1 driver, causing a memory access violation.
When contacted by SCMagazine.com, Kaspersky Lab said that the vulnerabilities are categorized as low severity. In an email to SCMagazine.com the firm said “it is theoretically only possible to exploit them if the system has already been infected with malware.” Kaspersky said it has patched the flaw affecting its 2016 line of consumer products and the issue was addressed in its 2017 version as the launch of the product line last month. Earlier this month, Kaspersky Lab launched a bug bounty program with HackerOne.
The vulnerabilities are the latest in a series of disclosures related to security products that has affected OAuth 2.0, Symantec, and Trend Micro. Endpoint security management systems are an attractive target for attackers because the products “often work at a low level or with extra privileges, and can act as a staging post for attacks,” AdaptiveMobile CTO Ciaran Bradley wrote in an email to SCMagazine.com. “Whilst some security vendors may not like the increased scrutiny of their products, it is a growing trend and ultimately it benefits everyone and drive improvements in the Industry as a whole.”
Tenable Network Security Strategist Cris Thomas said while DoS attacks such as the flaw discovered by the Talos researchers are “fairly common,” customers should “take this latest flaw seriously and update as soon as possible.”