A security issue found by safeBreach, a security research firm, in Kaspersky Secure Connect software, is itself bundled into a range of other Kaspersky security products, allowing malicious attackers to obtain signature code execution and even circumvent defenses in more complex attack situations.
The vulnerability, detailed in a security bulletin numbered CVE-2019-15689, technically opens the door to further malicious activity on the compromised device by enabling a hacker to run unsigned executables through a signed executable version launched as an NT permission/system.
SafeBreak explains that Kaspersky Secure Connect is bundled into Kaspersky Internet Antivirus, Kaspersky Internet Security, Kaspersky Total Security software, and other software that uses system permissions and executable files are signed by “AO Kaspersly Lab.” If an attacker finds a way to execute code in the process, it can be used as an application whitelisting to bypass security products.
And because the service is running at boot time, this means that potential attackers can even get persistence each time the system starts to run a malicious payload. In-depth analysis revealed that Kaspersky’s service attempted to load a series of dlls, some of which were lost, and that because the security software did not use signature verification, it was easy to disguise unsigned executables as signed executables. In addition, the Kaspersky service does not use secure DLL loading, which means that it uses only the file name of the DLL, not the absolute path. The error was reported to Kaspersky in July 2019 and SafeBreak issued a CVE-2019-15689 security bulletin on November 21.