Researchers on Thursday reported on a local privilege escalation in Kaspersky’s VPN Secure Connection for Microsoft Windows.
In a blog post, the Synopsys Cybersecurity Research Center, said the vulnerability — CVE-2022-27535 — would potentially let an attacker leverage Arbitrary Folder Delete to SYSTEM EoP to gain an escalation of privileges (EoPs).
Kaspersky officials released a statement that said its team has closed a vulnerability in the Kaspersky VPN Secure Connection that let an authenticated attacker trigger arbitrary file deletion in the system. They said it could lead to device malfunction or the removal of important system files required for correct system operation. The Kaspersky team said to execute this attack, an intruder had to create a specific file and convince users to run "Delete all service data and reports" or "Save report on your computer" product features.
To fix the vulnerability, the Kaspersky team recommended users check the app version they are running and install the latest one. The affected versions include Kaspersky VPN Secure Connection prior to 21.6
Tim McGuffin, adversarial engineering practice lead at LARES Consulting, said the Kaspersky VPN product operates more as a consumer product, so the global impact on business should be pretty low.
“EoP bugs do not get the same attention from organizations for patching prioritization,” McGuffin said. “Most organizations focus on preventing initial compromise from RCE, but often deprioritize patches for EoP vulnerabilities and wait until quarterly or annual patch cycles. If an attacker could gain code execution on a user's computer using Kaspersky VPN, they can escalate to SYSTEM and perform actions, but I think that for home user computer systems, everything an attacker would need access to is accessible using their normal privileges. This includes saved browser passwords, access to password vaults, and other saved credentials.”