Vulnerabilities discovered in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application could be exploited for DLL preloading, code execution, and privilege escalation, a security firm has warned.
According to SafeBreach, Kaspersky Secure Connection (KSDE), a VPN client used with various Kaspersky applications, including Security Cloud, Internet Security, Anti-Virus, Total Security, and Kaspersky Free, is impacted by CVE-2019-15689, a vulnerability that could allow an attacker to implant and run an arbitrary unsigned executable.
The issue is similar to vulnerabilities that SafeBreach has disclosed over the past several weeks in anti-malware applications from McAfee, Symantec, Avast and Avira, where privileged processes attempt to load libraries that are not present at the expected location.
Specifically, KSDE, a signed service that starts automatically at system boot up and which runs as SYSTEM, attempts to load multiple missing DLLs. An attacker able to load an arbitrary DLL could have it run with SYSTEM privileges within the context of ksde.exe.
The root cause of the vulnerability, SafeBreach notes, is that the process does not perform a signature verification against the loaded DLL, and that it attempts to load the library using only the filename and not an absolute path.
Successful exploitation of the flaw could result in an attacker executing malicious code within the signed Kaspersky process, which enables them to avoid detection.