Bug in Kaspersky VPN Client Allows Privilege Escalation

UPDATED

A local privilege-escalation (LPE) vulnerability in Kaspersky's VPN Secure Connection for Microsoft Windows has been discovered, which would allow an already-authenticated attacker to delete privileged files.

Tracked as CVE-2022-27535, the bug has divided researchers when it comes to CVSS score. According to an advisory out today from Synopsys, which discovered the issue, it carries a high-severity CVSS score of 7.8 out of 10, But Kaspersky rates the issue at medium-severity, with a 5.0 CVSS score.

In any event, it exists in the Support Tools part of the application, and would allow an authenticated attacker to trigger arbitrary file deletion in the system.

"it could lead to device malfunction or the removal of important system files required for correct system operation," according to a Kaspersky spokesperson. "To execute this attack, an intruder had to create a specific file and convince users to run 'Delete all service data and reports' or 'Save report on your computer" product features.'"

Kaspersky has fixed the issue: Users should update to version 21.6 or later to patch their systems.

Where LPE Bugs Fit in the Attack Chain

While not considered as flashy as the remote code execution (RCE) bugs used to gain initial compromise on a target, LPE flaws in general deserve recognition -- and patching prioritization -- as they're often linchpins within a wider attack flow. After cybercriminals gain initial access to a target via RCE or social engineering, LPEs are generally used by attackers to boost their privileges to perform advanced actions on the target system. In many cases, it allows an attacker to move from a normal user profile to SYSTEM to then gain further access to the network, and ultimately a company's crown jewels.

Synopsys researchers said that this particular LPE does exactly that -- but Kaspersky believes it to be much more limited

"This issue only allowed an attacker to delete the files that were available for deletion," Kaspersky clarified for Dark Reading. "It did not allow code execution or other actions: No full control over the system. Technically it can be considered LPE but with a very limited scope."

If exploited, the bug could lead to device malfunction or the removal of important system files required for correct system operation, according to Kaspersky. 

For its part, Synopsys is standing behind its findings.  

“We do not agree with Kaspersky’s stated assertion that the vulnerability does not allow a malicious actor to obtain admin-level privileges," the company said in a statement provided to Dark Reading. "Zeeshan Shaikh has demonstrated the ability to obtain a SYSTEM (i.e. roughly Window’s equivalent of root) command prompt through Kaspersky’s product which enables arbitrary local code execution. Furthermore, this supports [the possibility of] a malicious actors using the attack vector to move laterally within an organization’s environment."

This posting was updated at 11 a.m. on Aug. 8 to clarify the nature of the bug's privilege-escalation capabilities and add statements from both companies on their differing findings.