Remote code execution flaws exposed in Kaspersky Server software

Severe security flaws have been discovered in Kaspersky's Anti-Virus File Server software.

On Wednesday, CoreLabs, the security arm of Core Security, issued a public advisory relating to a number of security problems in Kaspersky Anti-Virus for Linux File Server 8.0.3.297.

The antivirus software, certified as VMware Ready and able to support current versions of FreeBSD, is designed to protect workstations and file servers in complex networks from traditional cyberthreats.

There are four vulnerabilities in total; a cross-site scripting bug, a cross-site request forgery flaw, improper privilege management and improper limits set on pathnames to restricted directories, leading to the bypass of security protocols, information leaks, and remote code execution.

The first issue, a cross-site scripting bug (CVE-2017-9813), occurs as the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users -- in particular, a feature allows configuring shell scripts to be executed when certain events occur.

If exploited, information stored in user cookies can be leaked, and if malicious scripts are loaded, it may be possible to remotely execute code on victim systems.

The scriptName parameter of the licenseKeyInfo action method is particularly vulnerable.

The second security flaw, CVE-2017-9810, is a cross-site request forgery issue which is caused by a lack of sufficient verification, due to there being no anti-CSRF tokens in any forms on the web interface.

When a web server receives requests, without this verification, malicious instructions can be sent, resulting in anything from hijacking sessions, data theft, or the launch of attacks against other products, depending on the user's level of privilege.

The third vulnerability, CVE-2017-9811, relates to improper privilege management. According to the team, "the kluser is able to interact with the kav4fs-control binary [and] by abusing the quarantine read and write operations, it is possible to elevate the privileges to root."

The final bug reported to Kaspersky, CVE-2017-9812, occurs due to the improper handling of a pathname to a restricted directory. In particular, the software's reportId parameter of the getReportStatus action method can be abused to read arbitrary files with kluser privileges.

All the vulnerabilities are both locally and remotely exploitable, according to CoreLabs, which provided proof-of-concept (PoC) code in the advisory.

In addition, the bugs may impact other products and other versions of the server software, but the team have not tested them.

CoreLabs first made the Russian antivirus provider aware of the bugs back in April. The company then replicated the exploits and created a patch to resolve the issues, which was issued on 14 June.

See also: Windows 10 does temporarily disable third-party antivirus, admits Microsoft

Earlier this month, Kaspersky filed new antitrust complaints against Microsoft, together with the European Commission and the German Federal Cartel Office, over claims that Windows 10 is harming third-party antivirus providers by bundling Windows Defender with the operating system.

A Kaspersky spokesperson told ZDNet:

"Kaspersky Lab would like to thank researchers from Core Security Technologies for pointing out vulnerabilities in Web Console of Kaspersky Anti-Virus for Linux File Server 8, which allowed, under specific conditions, unauthorized access to some product functionality. These vulnerabilities are now fixed. Kaspersky Lab recommends to all customers, using Web Console, to upgrade the Kaspersky Anti-Virus for Linux File Server 8 to new CF4 version."

How to lock up your digital life and privacy in an hour (in pictures)