High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover

A high-severity local privilege-escalation (LPE) vulnerability in Kaspersky’s VPN Secure Connection for Microsoft Windows has been discovered, which would allow an attacker to gain administrative privileges and take full control over a victim’s computer.

Tracked as CVE-2022-27535, the bug carries a high-severity CVSS score of 7.8 out of 10, according to an advisory out today from Synopsys, which discovered the issue. It exists in the Support Tools part of the application, and would allow an authenticated attacker to trigger arbitrary file deletion in the system.

“it could lead to device malfunction or the removal of important system files required for correct system operation,” according to a Kaspersky spokesperson. “To execute this attack, an intruder had to create a specific file and convince users to run ‘Delete all service data and reports’ or 'Save report on your computer” product features.’"

While remote code execution (RCE) bugs tend to hog the patching spotlight, LPE flaws deserve recognition as they’re often linchpins within a wider attack flow. After cybercriminals gain initial access to a target via RCE or social engineering, LPEs are generally used by attackers to boost their privileges from a normal user profile to SYSTEM – i.e., the highest privilege level in the Windows environment.

With these kinds of local admin privileges, an attacker can then gain further access to the network, and ultimately a company’s crown jewels.

“A fully compromised computer would allow an attacker access to websites, credentials, files, and other sensitive information that could be useful by itself, or useful in moving laterally inside a corporate network,” Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center, tells Dark Reading.

Kaspersky’s VPN Secure Connection offers remote workers a supposedly secure way to tie back to a corporate network and resources, and Knudsen notes that the bug discovery points out an important truism: “All software has vulnerabilities, even security software. The key to releasing better, more secure software is using a development process where security is part of every phase.”

He adds that Synopsys hasn’t seen any exploitation of the bug, but “most likely attackers will take note of it as a possible technique.” Users should upgrade to version 21.7.7.393 or later to patch their systems.