Very serious bug in Kaspersky VPN Client opens door to PC takeover

A very serious LPE (Local privilege escalation) leak has been discovered in Kaspersky’s VPN Secure Connection for Microsoft Windows, which could allow an attacker to gain administrative privileges and take full control of a victim’s computer.

Tracked as CVE-2022-27535, the bug has a very severe CVSS score of 7.8 out of 10, according to an advisory released today by Synopsys, which discovered the issue. It exists in the Support Tools section of the application and would allow an authenticated attacker to trigger arbitrary file deletion in the system.

“It could lead to device malfunctions or deletion of important system files necessary for proper system operation,” said a Kaspersky spokesperson. “To perform this attack, an intruder had to create a specific file and convince users to run the product functions ‘Delete all service data and reports’ or ‘Save report to your computer.'”

While remote code execution (RCE) bugs tend to put the patching spotlight in the spotlight, LPE bugs deserve recognition as they are often at the center of a broader attack stream. After cyber criminals first gain access to a target through RCE or social engineering, LPEs are generally used by attackers to increase their privileges from a normal user profile to SYSTEM – that is, the highest privilege level in the Windows environment.

With this kind of local administrator privileges, an attacker can then gain further access to the network and ultimately to a company’s crown jewels.

“A completely compromised computer would give an attacker access to websites, credentials, files and other sensitive information that could be useful in its own right, or could be useful to move laterally within a corporate network,” Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center, Dark Reading tells.

Kaspersky’s VPN Secure Connection provides remote workers with a supposedly secure way to connect to a corporate network and resources, and Knudsen notes that the bug detection reveals an important truth: “All software has vulnerabilities, even security software. The key to better releases, more secure software uses a development process where security is a part of every stage.”

He adds that Synopsys has not seen any exploitation of the bug, but “attackers will likely take note of it as a possible technique.” Users must upgrade to version 21.7.7.393 or later to patch their systems.

Leave a Comment