Kaspersky Fixes Two Certificate Flaws

Thursday, January 5, 2017 @ 05:01 PM gHale


Kaspersky Lab fixed two certificate-related issues in its anti-malware products.

The first vulnerability, rated “critical” by Google Project Zero researcher Tavis Ormandy, who discovered both issues, relates to how Kaspersky Antivirus inspects SSL/TLS connections.

RELATED STORIES
Kaspersky Lab Unlocks Tough Ransomware
Netgear Working to Patch Routers
Nagios Core Monitoring Tool Patched
Netgear Fixing Vulnerable Routers

Kaspersky uses a Windows Filtering Platform driver to intercept outgoing HTTPS connections, Ormandy said in a blog post.

The company proxies SSL connections by adding its own certificate as a trusted authority to the system store and replacing all leaf (end-entity) certificates on the fly. This result is certificates appear as if they have been issued by “Kaspersky Anti-Virus Personal Root Certificate” on systems running Kaspersky Antivirus.

“Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection,” Ormandy said in a blog post.

“The cache is a binary tree, and as new leaf certificates and keys are generated, they’re inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent,” he said.

The problem, according to the researcher, was the 32-bit key was not enough to prevent a man-in-the-middle (MitM) attacker from creating collisions. An attacker could capture all traffic to a certain domain (e.g. mail.google.com) by sending the targeted Kaspersky Antivirus user two certificates with the same key.

The second vulnerability found by Ormandy, rated “high severity,” involves improper protection of the private key for the local CA root. The problem was that the security firm stored the private key in the ProgramData folder and used an ACCESS_MASK blacklist instead of a file system access control list (ACL) to protect it.

“This is trivial to exploit, any unprivileged user can now become a CA,” Ormandy said in an advisory describing the issue.

The flaws ended up reported to Kaspersky on October 31 and November 11.

Kaspersky Lab cleared the vulnerabilities in Kaspersky Anti-Virus 2016, 2017, Kaspersky Internet Security 2016, 2017, Kaspersky Total Security 2016, 2017, Kaspersky Small Office Security 4, 5, Kaspersky Fraud Prevention for Endpoints 6.0 and Kaspersky Endpoint Security for Mac.

The fixes were included in auto update released to customers on December 28, according to a Kaspersky advisory.



Leave a Reply

You must be logged in to post a comment.