Multiple vulnerabilities in Kaspersky Internet Security



| Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2017-12816
CVE-2017-12817
CWE-ID CWE-732
CWE-311
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Kaspersky Internet Security
Client/Desktop applications / Antivirus software/Personal firewalls

Vendor Kaspersky Lab

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU38421

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12816

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In Kaspersky Internet Security for Android 11.12.4.1622, some of application exports activities have weak permissions, which might be used by a malware application to get unauthorized access to the product functionality by using Android IPC.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Kaspersky Internet Security: 11.12.4.1622

CPE2.3 External links

http://www.securityfocus.com/bid/100505
http://support.kaspersky.com/vulnerability.aspx?el=12430#090817


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing Encryption of Sensitive Data

EUVDB-ID: #VU38422

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12817

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Kaspersky Internet Security for Android 11.12.4.1622, some of the application trace files were not encrypted.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Kaspersky Internet Security: 11.12.4.1622

CPE2.3 External links

http://www.securityfocus.com/bid/100504
http://support.kaspersky.com/vulnerability.aspx?el=12430#090817


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###