harlan4096

Moderator
Verified
Staff member
Malware Hunter
Advisory issued on 25th November, 2019

Description
Kaspersky Lab has fixed a security issue found by Wladimir Palant in Kaspersky Password Manager that could potentially lead remote unauthorized access by 3rd parties to information about address items which are stored in the vault while it is in unlocked state. No other data in the vault could be compromised. Issue category: Data Leakage. Issue type: Information Disclosure.
To exploit this issue an attacker would need to lure a user for visiting a specially crafted web page.

List of affected products
Kaspersky Password Manager for Windows 9.1.

Fixed versions
Kaspersky Password Manager for Windows 9.2.

We recommend our users to migrate to new version of the product.

Acknowledgements
We would like to thank researcher Wladimir Palant who discovered the issue and reported it to us.
Advisory issued on 25th November, 2019

Description
Kaspersky has fixed the following security problems in Anti-Virus products family for Windows:
  • [1] Kaspersky Protection extension for web browser Google Chrome was vulnerable to unauthorized access to its features remotely that could lead to removing other installed extensions. Severity of this issue was assessed as medium, because user should confirm deletion of the extension on Chrome's warning menu. Issue category: Unauthorized Command Execution. Issue type: Bypass. [CVE-2019-15684]
  • [2] The web protection component due to a bug in its implementation potentially allowed an attacker remotely disable such product's security features as private browsing and anti-banner. Issue category: Unauthorized Command Execution. Issue type: Bypass. [CVE-2019-15685]
  • [3] The web protection component due to a bug in its implementation potentially allowed an attacker remotely disable various anti-virus protection features. Severity of this issue was assessed as high, because an attacker can terminate product service process. Issue category: Unauthorized Command Execution. Issue type: DoS, Bypass. [CVE-2019-15686]
  • [4] The web protection component was vulnerable to remote disclosure of some information about user's system to 3rd parties (e.g. Windows version and version of the product, unique ID). Issue category: Data Leakage. Issue type: Information Disclosure. [CVE-2019-15687]
  • [5] The web protection component did not adequately inform the user about the threat of redirecting to an untrusted site. Issue category: Security Bypass. Issue type: Bypass. [CVE-2019-15688]
The web protection component was additionally improved to prevent 3rd parties from calculating unique product ID remotely (privacy hardening) [6].

To exploit all mentioned above issues an attacker would need to lure a user for visiting a specially crafted web page.

List of affected products
  • Kaspersky Anti-Virus up to 2020
  • Kaspersky Internet Security up to 2020
  • Kaspersky Total Security up to 2020
  • Kaspersky Free Anti-Virus up to 2020
  • Kaspersky Small Office Security up to 7
  • Kaspersky Security Cloud up to 2020
  • Kaspersky Protection extension for Google Chrome prior to 30.112.62.0
Fixed versions
  • Kaspersky Anti-Virus 2019 Patch I, Patch J
  • Kaspersky Internet Security 2019 Patch I, Patch J
  • Kaspersky Total Security 2019 Patch I, Patch J
  • Kaspersky Free Anti-Virus 2019 Patch I, Patch J
  • Kaspersky Small Office Security 6 Patch I, Patch J
  • Kaspersky Security Cloud 2019 Patch I, Patch J
  • Kaspersky Protection extension for Google Chrome 20.0.543.1418 as a part of 2019 Patch I
  • Kaspersky Anti-Virus 2020 Patch E, Patch F
  • Kaspersky Internet Security 2020 Patch E, Patch F
  • Kaspersky Total Security 2020 Patch E, Patch F
  • Kaspersky Free Anti-Virus 2020 Patch E, Patch F
  • Kaspersky Small Office Security 7 Patch E, Patch F
  • Kaspersky Security Cloud 2020 Patch E, Patch F
  • Kaspersky Protection extension for Google Chrome 30.112.62.0 as a part of 2020 Patch E
We recommend users to check product version and install updates. Our products have automatic updating procedure to make process of receiving updates easier and most of the users have been updated. To apply these updates a reboot may be required.

Acknowledgements
We would like to thank the following researchers who discovered the issues and responsibly reported them:
  • Wladimir Palant ([1],[2],[3],[4],[5],[6])
  • Mohamed Ouad ([1]
Source
 
Last edited: