Researchers disclose DLL loading vulnerabilities in Autodesk, Trend Micro, Kaspersky software

Updated: Privilege escalation and code execution bugs lurked in the applications.
Written by Charlie Osborne, Contributing Writer

Researchers have disclosed a set of security vulnerabilities in Autodesk, Trend Micro, and Kaspersky software. 

On Monday, the SafeBreach Labs published three security advisories describing the bugs, all of which were privately reported to the vendors before public disclosure. 

The first vulnerability, tracked as CVE-2019-15628, impacts Trend Micro Maximum Security version 16.0.1221 and below. One of the software's components, the Trend Micro Solution Platform service, coreServiceShell.exe, runs as NT AUTHORITY\SYSTEM with high levels of permission, and it was this executable that the researchers targeted. 

Once coreServiceShell.exe executes, a library -- paCoreProductAdaptor.dll -- is loaded. However, a missing DLL, lack of safe DLL loading and signed validation meant that attackers could exploit this security hole, loading unsigned DLLs as a result. 

Being able to load and execute arbitrary DLLs with signed software of high privileges could lead to application whitelisting bypass, the evasion of cybersecurity protections, persistence -- as the software runs on startup -- and potentially privilege escalation, the researchers say. 

"The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded," SafeBreach Labs says. "That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted."

See also: Hotel front desks are now a hotbed for hackers

The second vulnerability disclosed at the same time affects Kaspersky Secure Connection, a virtual private network (VPN) client deployed with Kaspersky Internet Security solutions to forge a secure connection with the vendor's servers. 

Tracked as CVE-2019-15689, this bug can only be abused if an attacker has already secured administrator privileges on versions of the software below 4.0. 

Kaspersky Secure Connection also runs as NT AUTHORITY\SYSTEM and in the same way as the aforementioned Trend Micro issue, the Kaspersky Secure Connection 3.0.0 service (KSDE) looks for missing DLLs, opening a path for abuse via uncontrolled search paths and no signature validation. 

Potentially suitable as part of a post-exploit chain, the vulnerability permits arbitrary DLL loading signed off by AO Kaspersky Lab and able to run with high permission levels. 

TechRepublic: How credential stuffing attacks work, and how to prevent them

The final vulnerability, CVE-2019-7365, was discovered in the Autodesk desktop application. The desktop app -- AdAppMgrSvc.exe -- is related to Autodesk software from 2017 to the present day and runs with NT AUTHORITY\SYSTEM. A missing DLL call made by an accompanying library also permitted the loading of arbitrary DLLs. In addition, there is no digital certificate validation, and so unsigned DLLs can be executed. 

"After an attacker gains access to a computer, he might have limited privileges which can limit access to certain files and data," the researchers say. "The service provides him with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer."

The vulnerabilities were reported to Trend Micro, Kaspersky, and Autodesk in July, with each security flaw confirmed in the same month or in August. 

Update 15.49 GMT: A Trend Micro spokesperson told us, "Trend Micro issued a patch for these vulnerabilities that is currently available through the product's automatic ActiveUpdate feature for all relevant products. Customers who receive regular automatic updates should have already received this update."

Trend Micro asked for time beyond the usual 90-day policy and after resolving the issue published a security advisory on November 25. Kaspersky patched the bug and published a security advisory n December 2. Autodesk is yet to release an advisory. A Kaspersky spokesperson told ZDNet:

"Kaspersky has fixed a security issue found in Kaspersky Secure Connection that could potentially allow third-parties to locally execute arbitrary code. In order to exploit this bug, an attacker would need to have local administrator rights and full control of the computer.  

This security issue was fixed by patch 2020 E, delivered to users through Kaspersky's automatic update procedures. A reboot may be required to apply these updates."

CNET: Facebook built a facial recognition app for employees

Autodesk said, "Autodesk released a patch for CVE-2019-7365 on 27 November for Autodesk Desktop Application (ADA) users. We highly recommend that customers apply the latest update for ADA by clicking the update button on the application. A security advisory with more information is available on the Autodesk Trust Centre."

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards