Kaspersky Secure VPN vulnerability could have given hackers the keys to the kingdom

Polygonal vector illustration of the virtual private network's shield reading VPN and world map on the background
(Image credit: Shutterstock)

Kaspersky has patched a major flaw in one of its VPN products which, had a malicious actor discovered it sooner, could have been abused to give them elevated privileges in a third-party environment. 

The company confirmed these findings in a security advisory in which it also urged its users to patch their systems immediately. In early March this year, a researcher from the Synopsys Cybersecurity Research Center (CyRC), Zeeshan Shaikh, found an escalation of privilege flaw in Kaspersky’s VPN Secure Connection for Windows. This flaw would allow users to change their account status from “regular” to admin, essentially. In Windows, the account is called SYSTEM, it was explained. 

“In the Support Tools part of the application, a regular user can use ‘delete service data and reports’ to remove a privileged folder,” CyRC explains. “And with that capability, an attacker can gain elevated privileges.”

High-risk

The flaw is now tracked as CVE-2022-27535, and carries a severity score of 7.8. That puts it in the “high-risk” category, but not quite “critical”. According to Kaspersky, there is no evidence of the flaw being exploited in the wild, so it’ good news that noone seems to have gotten hurt. Still, users are advised to apply the fix and bring their VPNs up to version 21.6 or later. 

Cybercriminals often prey on unpatched devices, as unattended known vulnerabilities are often considered low-hanging fruit. 

According to CyRC, Kaspersky took almost a month to confirm Shaikh’s findings, and said it released a fix in late May. Shaikh was able to validate the fix in late July.

Although no harm was done, the irony of the situation is that software such as the Kaspersky VPN Secure Connection for Windows is built to protect people from breaches, not be the root cause of one. VPN software is built to mask a device’s internet protocol address, encrypt data and route it through secure networks to servers often located abroad. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.