Researchers disclose DLL loading vulnerabilities in Autodesk, Trend Micro, Kaspersky software

[steven36]

Privilege escalation and code execution bugs lurked in the applications.

 

 

Researchers have disclosed a set of security vulnerabilities in Autodesk, Trend Micro, and Kaspersky software. 

 

On Monday, the SafeBreach Labs published three security advisories describing the bugs, all of which were privately reported to the vendors before public disclosure.

 

The first vulnerability, tracked as CVE-2019-15628, impacts Trend Micro Maximum Security version 16.0.1221 and below. One of the software's components, the Trend Micro Solution Platform service, coreServiceShell.exe, runs as NT AUTHORITY\SYSTEM with high levels of permission, and it was this executable that the researchers targeted. 

 

Once coreServiceShell.exe executes, a library -- paCoreProductAdaptor.dll -- is loaded. However, a missing DLL, lack of safe DLL loading and signed validation meant that attackers could exploit this security hole, loading unsigned DLLs as a result. 

 

Being able to load and execute arbitrary DLLs with signed software of high privileges could lead to application whitelisting bypass, the evasion of cybersecurity protections, persistence -- as the software runs on startup -- and potentially privilege escalation, the researchers say. 

 

"The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded," SafeBreach Labs says. "That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted."

 

 

The second vulnerability disclosed at the same time affects Kaspersky Secure Connection, a virtual private network (VPN) client deployed with Kaspersky Internet Security solutions to forge a secure connection with the vendor's servers. 

 

Tracked as CVE-2019-15689, this bug can only be abused if an attacker has already secured administrator privileges on versions of the software below 4.0. 

 

Kaspersky Secure Connection also runs as NT AUTHORITY\SYSTEM and in the same way as the aforementioned Trend Micro issue, the Kaspersky Secure Connection 3.0.0 service (KSDE) looks for missing DLLs, opening a path for abuse via uncontrolled search paths and no signature validation. 

 

Potentially suitable as part of a post-exploit chain, the vulnerability permits arbitrary DLL loading signed off by AO Kaspersky Lab and able to run with high permission levels. 

 

The final vulnerability, CVE-2019-7365, was discovered in the Autodesk desktop application. The desktop app -- AdAppMgrSvc.exe -- is related to Autodesk software from 2017 to the present day and runs with NT AUTHORITY\SYSTEM. A missing DLL call made by an accompanying library also permitted the loading of arbitrary DLLs. In addition, there is no digital certificate validation, and so unsigned DLLs can be executed. 

 

"After an attacker gains access to a computer, he might have limited privileges which can limit access to certain files and data," the researchers say. "The service provides him with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer."

 

The vulnerabilities were reported to Trend Micro, Kaspersky, and Autodesk in July, with each security flaw confirmed in the same month or in August. 

 

Trend Micro asked for time beyond the usual 90-day policy and after resolving the issue published a security advisory on November 25. Kaspersky patched the bug and published a security advisory n December 2. Autodesk is yet to release an advisory. 

 

ZDNet has reached out to Kaspersky, Trend Micro, and Autodesk with additional queries but has not heard back at the time of publication. 

 

Source

 

 

[Guest]

54 minutes ago, steven36 said:

The second vulnerability disclosed at the same time affects Kaspersky Secure Connection, a virtual private network (VPN) client deployed with Kaspersky Internet Security solutions to forge a secure connection with the vendor's servers. 

Kaspersky Secure Connection is actually optional, so when installing any Kaspersky anti-malware solution, you can safely remove the program as it is not even a prerequisite to run any Kaspersky products. So eliminating the risk of vulnerability (unless if there's another disclosure or discovery).

[steven36]

37 minutes ago, Edward Raja said:

Kaspersky Secure Connection is actually optional, so when installing any Kaspersky anti-malware solution, you can safely remove the program as it is not even a prerequisite to run any Kaspersky products. So eliminating the risk of vulnerability (unless if there's another disclosure or discovery).

The VPN  has been patched now  , It not recommended  to use  it with the free version no way.

 

 

When you install Kasperksy Internet Security  or Kaspersky Total Security , along with it, the newly added Secure Connection will be installed on your computer. Kaspersky Secure Connection is a VPN service available with limited mode to Kaspersky users and the free version offers only 200 MB of data per day and 300 MB per day if the kaspersky Labs application is connected to My Kaspersky account.

 

When the data limit exceeds, a notification will be shown to wait for few more hours for you to avail the service. If you want to use Secure Connection without limitations, then you need to purchase a license for that by visiting Kaspersky Online Store, if you think this much of a hassle, then you can remove Kaspersky Secure Connection, here is how that can be done.

 

Three reasons to remove Kaspersky Secure Connection

1. You want to use Kaspersky, but not interested in it because it won’t let you use data more than 200 MB Per day.
2. You’re using a trial version of Kaspersky application, after completing the evaluation period, you either need to purchase a license for Kasperksy or uninstall Kaspersky, but Secure Connection will be left behind without removal when you uninstall it. Then it isn’t much of use, you need to delete it anyway then.
3. Another scenario is while keeping Kaspersky you may want to use another VPN.

 

The Pita of it  recommended  to use Kaspersky removal  tool . Years ago they use to have custom install . After v7  they change the firewall around  were your better off  if you use  there products  to  just use the AV  with another Firewall .

 

 

[Guest]

1 minute ago, steven36 said:

The VPN  has been patched now  , It not recommended  to use  use for free version no way.

I know, but I just remove it as what I have said earlier.

[steven36]

22 minutes ago, Edward Raja said:

I know, but I just remove it as what I have said earlier.

So many people had problems in the past blocking software  with keys with the apps it  not worth using the version  with the firewall . KIS kind of has a mind of its own when you try to block .exe  it add it itself to trusted  but i did figure out to block IPs  with it  back in 2014 testing it in VM . I've not used none of there products since years ago  other than in a VM and i always used there Antivirus only  every since v5 before they ever had KIS.  v5 and v6 was nice and lite me and  @Gunslinger used it for a long time after KIS 7 and KAV 7 came out , v8 they change the Firewall were  it acted nuts.