Responsible disclosure keeps Kaspersky’s trusted VPN still trustworthy
Nothing made by humans is perfect. Even the stuff we create to protect and fix the imperfect stuff isn’t perfect. We all know that — why else would the process of crafting legislation that yields the laws we’re all supposed to live by be sardonically labeled “the sausage factory”?
Same for technology and the software that runs most of it. It has brought us luxuries and conveniences that were almost unimaginable a couple of generations ago, but human error has left us grappling with risks that were also unimaginable then.
Who would have thought a teenage criminal using a laptop could empty your bank account simply by knowing how to exploit software defects, with no need for guns and a getaway car? Who would have thought a nation-state hacker could take down an energy grid or upend a food supply chain from the other side of the world, again doing nothing more than exploiting software vulnerabilities with computer keystrokes.
Or, as illustrated this past week, gain control of an entire system or organizational environment via a vulnerability in the software that is supposed to keep it safe?
Fortunately, that vulnerability was discovered and fixed before any criminal hackers could exploit it — more on that below.
But vulnerabilities like these and the risks they pose have spawned an entire software security industry, valued at about $220 billion, aimed at trying to mitigate those risks, first by preventing defects during development of software products, or by fixing them if they don’t get prevented.
Those efforts include “building security in” to software while it’s being developed, with automated tools that test it for vulnerabilities while code is being written; while it’s being run; while it’s being prepared for interaction with customers or users on the internet; and then just before it launches as an application, a page on a website, a network or any number of other things.
Software is software
But even the software used to secure other software — so-called security software — can have vulnerabilities. After all, software is software — none of it is perfect. And a recent example is a virtual private network (VPN) made by Kaspersky, the multinational cybersecurity firm based in Moscow and run by a holding company in the UK.
Zeeshan Shaikh, a researcher within the Synopsys Cybersecurity Research Center (CyRC) discovered a “privilege escalation” vulnerability in Kaspersky’s VPN Secure Connection for Microsoft Windows that could allow an attacker to elevate his or her status from “regular” user to one who has high-level system privileges — in Windows that’s an account called SYSTEM.
According to a CyRC advisory released last Thursday, “in the Support Tools part of the application, a regular user can use ‘delete service data and reports’ to remove a privileged folder.” And with that capability, an attacker can gain elevated privileges.
Jonathan Knudsen, head of global research within the Synopsys CyRC, said attackers with system privileges could “do whatever they wish with the compromised system.”
Which is exactly what VPNs are meant to prevent. VPN software is supposed to protect you or your organization through multiple means — masking your device’s internet protocol address, encrypting your data, and routing it through secure networks to servers that are far away, often in other countries.
The goal is to hide an online identity, allowing users to browse the internet securely and anonymously.
But a serious vulnerability in a VPN can make it worse than useless by allowing an attacker who is a “regular” user of the VPN to get elevated access to an entire system. And while no credible VPN vendor would want its product to put its customers at risk, there are no legal requirements mandating that it be perfect.
Which confirms the mantra from software security experts that a software risk is both a business risk and a personal risk.
“VPNs require significant trust from customers,” Knudsen said. “We hope we can rely on our VPNs to keep our information private, as we might for a doctor or a lawyer. But while doctors and lawyers are bound by legal requirements, no rules exist for VPNs.”
Test, and then test some more
And Tanya Janca, founder and CEO at We Hack Purple Academy, said the discovery illustrates the need for a higher level of testing for security software.
“Testing of security software needs to be different, because of the potential risk it serves, or attempts to prevent,” she said. “This is the sort of thing that threat modeling could discover, and then — in an ideal world — you test for your threat models.”
The vulnerability Shaikh found in March is now identified by the Common Vulnerabilities and Exposures database as CVE-2022–27535. The CyRC researchers gave it a severity ranking of 7.8 on a scale of 10 on the Common Vulnerability Scoring System (CVSS), which puts it in the high-risk category but below “critical,” which starts at 9.0. CVSS is part of the National Vulnerability Database within the federal National Institute of Standards and Technology.
The good news is that, according to Knudsen, there is no evidence that the vulnerability was exploited before Kaspersky created a patch for it. So this one could fall into the category of “no harm, no foul.”
Of course, users will have to apply the update to keep their VPN secure now that the vulnerability is public. That update is in version 21.6 or later.
The good news
The other good news is that this is an example — for the most part — of how “responsible disclosure” of a vulnerability is supposed to work. A researcher or ethical hacker, in this case Shaikh, finds a vulnerability and rather than making it public immediately, notifies the owner or vendor of the product privately to allow time for it to be fixed, hopefully before malicious hackers discover it.
The timeline in this case wasn’t perfect. Synopsys CyRC notified Kaspersky of the vulnerability on March 9, Kaspersky confirmed it on March 28, and then told CyRC on May 31 that a fix had been released. But it was almost two more months, until July 29, before Shaikh was able to validate the fix.
“Communications from Kaspersky were spotty,” Knudsen said. “Ultimately, they refused to tell us the version in which this vulnerability was fixed, and our researcher had to download and test the latest.”
That stretched the somewhat standard 90-day timeline from notifying the vendor to public disclosure to 142 days. Knudsen said CyRC may not always be so patient with a lack of communication from a vendor.
“Our policy is 90 days, but we have not been enforcing that. We’re planning to tighten it up in the future,” he said.
Also, Kaspersky disputed the finding, contending that the defect Shaikh found would only allow an attacker to delete a file, not gain elevated administrative privileges. But the CyRC team said Shaikh had demonstrated that the vulnerability would allow an attacker to “move laterally within an organization’s environment.”
Whatever the severity of the bug, the bottom line is what it should be: a temporarily porous VPN that Kaspersky says on its website is “trusted and loved by millions of customers” can continue to be trusted and loved — as long as it’s up-to-date.