informa
3 min read
article

High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover

The CVE-2022-27535 local privilege-escalation security vulnerability in the security software threatens remote and work-from-home users.

A local privilege-escalation (LPE) vulnerability in Kaspersky's VPN Secure Connection for Microsoft Windows has been discovered, which would allow an already-authenticated attacker to gain administrative privileges and potentially take full control over a victim's computer.

Tracked as CVE-2022-27535, the bug has divided researchers when it comes to CVSS score. According to an advisory out today from Synopsys, which discovered the issue, it carries a high-severity CVSS score of 7.8 out of 10, But Kaspersky rates the issue at medium-severity, with a 5.0 CVSS score.

In any event, it exists in the Support Tools part of the application, and would allow an authenticated attacker to trigger arbitrary file deletion in the system, along with privilege escalation to SYSTEM – i.e., the highest privilege level in the Windows environment.

"it could lead to device malfunction or the removal of important system files required for correct system operation," according to a Kaspersky spokesperson. "To execute this attack, an intruder had to create a specific file and convince users to run 'Delete all service data and reports' or 'Save report on your computer" product features.'"

Kaspersky has fixed the issue: Users should update to version 21.6 or later to patch their systems.

Where LPE Bugs Fit in the Attack Chain

While not considered as flashy as the remote code execution (RCE) bugs used to gain initial compromise on a target, LPE flaws in general deserve recognition -- and patching prioritization -- as they're often linchpins within a wider attack flow. After cybercriminals gain initial access to a target via RCE or social engineering, LPEs are generally used by attackers to boost their privileges from a normal user profile to SYSTEM.

With these kinds of local admin privileges, an attacker can then gain further access to the network, and ultimately a company's crown jewels.

"A fully compromised computer would allow an attacker access to websites, credentials, files, and other sensitive information that could be useful by itself, or useful in moving laterally inside a corporate network," Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center, tells Dark Reading.

Any Software Can Be Vulnerable

Kaspersky's VPN Secure Connection offers remote workers a supposedly secure way to tie back to a corporate network and resources, but Knudsen notes that the bug discovery points out an important truism: "All software has vulnerabilities, even security software. The key to releasing better, more secure software is using a development process where security is part of every phase."

He adds that Synopsys hasn't seen any exploitation of the bug, but "most likely attackers will take note of it as a possible technique," so users should go ahead and patch soon as they can.