A security issue discovered by security research company SafeBreach in Kaspersky Secure Connection, which itself is bundled into a range of other Kaspersky security products, allowing malicious attackers to obtain privilege escalation and code execution. The security vulnerability numbered CVE-2019-15689 details the vulnerability, which allows a hacker to run an unsigned executable file (DLLs) as a signed version of NT permissions/system startup.
SafeBreak explained that Kaspersky Secure Connection is bundled with Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, and other software, uses services with system permissions, and the executable file is managed by “AO Kaspersky Lab “signature. If an attacker finds a way to execute code during this process, they can use it as an application whitelist to bypass security products.
Because the service runs at boot time, this means that a potential attacker can even get persistence every time the system boots to run a malicious payload. An in-depth analysis found that Kaspersky’s service tried to load a series of DLLs, some of which were missing, and because the security software did not use signature verification, it was easy to disguise unsigned executables as signed executables. In addition, the Kaspersky service does not use secure DLL loading, which means that it only uses the DLL’s file name, not the absolute path. The bug was reported to Kaspersky in July 2019, and SafeBreak issued a CVE-2019-15689 security bulletin on November 21.