Kaspersky Lab updated products to address several denial-of-service (DoS) and memory disclosure vulnerabilities.
There are four issues in Kaspersky Internet Security products, specifically in the KLIF, KLDISK and KL1 drivers, said researchers at Cisco’s Talos group.
Two of the flaws (CVE-2016-4304 and CVE-2016-4305) end up related to the way the KLIF driver handles NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. A malicious app can execute an API call using invalid parameters and cause a system crash.
Another local DoS flaw, identified as CVE-2016-4307, ends up related to how the KL1 driver handles IOCTL calls. An attacker can exploit this vulnerability to cause a memory access violation and crash the system by sending a specially crafted IOCTL call to the driver.
Another issue found by Talos researchers (CVE-2016-4306) can allow attackers to use specially crafted IOCTL calls to leak kernel memory content. The weakness, caused by a weak implementation of the KlDiskCtl service in the KLDISK driver, can end up exploited by an attacker to obtain information that may be useful in combination with other vulnerabilities.
Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos discovered the vulnerabilities.
“The vulnerabilities affect Kaspersky Internet Security 16.0.0, KLIF driver version 10.0.0.1532, but may affect other versions of the software too. Since anti-virus software runs with low level privileges on any system, vulnerabilities in these software are potentially very interesting for attackers,” Cisco researchers said. “Although these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched.”
Cisco first reported the vulnerabilities to Kaspersky in late April.