Expert Positive Technologies has detected a vulnerability in Kaspersky Lab's security software

Expert Positive Technologies, Georgy Zaitsev, discovered a vulnerability in the Application Control component that is part of the specialized protection for embedded systems of Kaspersky Embedded Systems Security versions 1.1 and 1.2. The error was found during the audit of the security of the ATM on which this software product was installed. The exploitation of this vulnerability potentially allowed an attacker to eventually install the unknown software on the ATM, and then - to develop the attack until all the money was removed from the device. Kaspersky Lab quickly eliminated this vulnerability in the current versions of the solution.

From a technical point of view, exploitation of this vulnerability allowed an attacker to download the Kaspersky Embedded Systems Security service to such a state that he was unable to process file startup requests in the time allotted. This, in turn, allowed the attacker to run any applications not from the whitelist. Thus, an attacker was able to run .exe files on an ATM (for example, from a USB flash drive or over a network) to increase their privileges in the system, to infect it, or simply to remove all available money in the device.

"The white list principle allows only trusted programs to run on the device. The vulnerability in Application Control opened two ways to bypass this restriction and launch the file that is necessary to the attacker, - said Georgy Zaitsev. - In the first case, at the end of the executable file, an attacker could add a large amount of any meaningless data. After that, you had to run the file twice. At the first start, the hash-sum of the file is calculated, that is, its identifier: on its basis, a decision must be made whether to allow or deny the start. With a sufficient file size, this process will take longer than it takes to check. And as a result, after the expiration of the allocated period, the file will be executed. "

Because Kaspersky Embedded Systems Security allows you to save results, in order to avoid recounting the hash sum on subsequent launches, this method will only work when the file is first run.

"The second method allowed to work around this limitation and consisted in the simultaneous launch of a large number of instances of the application. This also led, roughly speaking, to the "freeze" of the application and, as a result, to the launch of the file not from the white list, "said Georgy Zaitsev.

Kaspersky Lab has already released a patch to fix the described vulnerability in versions 1.1 and 1.2. By the way, in the same patch, another vulnerability discovered by experts from Positive Technologies was corrected, which makes it possible to disable Application Control functionality by sending a special request to the klif.sys driver. In the new version of Kaspersky Embedded Systems Security 2.0, these vulnerabilities are not present.

This is not the first security problem detected by Positive Technologies experts in the security software for ATMs. At the end of 2016, the company's researchers revealed a dangerous vulnerability in the Solidcore system, which is part of the McAfee Application Control (MAC) product.