The second vulnerability found by Ormandy, rated “high severity,” involves improper protection of the private key for the local CA root. “So if you use Kaspersky Antivirus in Manchester, Connecticut and were wondering why Hacker News didn’t work sometimes, it’s because of a critical vulnerability that has effectively disabled SSL certificate validation for all 400 million Kaspersky users,” the expert said. ) by sending the targeted Kaspersky Antivirus user two certificates with the same key.Ī search of certificate transparency logs revealed, for instance, that the certificate used by Hacker News () had the same serialNumber/issuer hash as the certificate for the website of Manchester, Connecticut (). The expert said an attacker could have intercepted all traffic to a certain domain (e.g. The problem, according to the researcher, was that the 32-bit key was not enough to prevent a man-in-the-middle (MitM) attacker from creating collisions. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent,” the expert added. “The cache is a binary tree, and as new leaf certificates and keys are generated, they’re inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection,” Ormandy explained in an advisory. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. “Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. This results in certificates appearing as if they have been issued by “Kaspersky Anti-Virus Personal Root Certificate” on systems running Kaspersky Antivirus. The company proxies SSL connections by adding its own certificate as a trusted authority to the system store and replacing all leaf (end-entity) certificates on the fly. According to the expert, Kaspersky uses a Windows Filtering Platform driver to intercept outgoing HTTPS connections. The first vulnerability, rated “critical” by Ormandy, is related to how Kaspersky Antivirus inspects SSL/TLS connections. The flaws were addressed by the security firm in late December. Google Project Zero researcher Tavis Ormandy has discovered two serious certificate-related issues in Kaspersky Lab’s anti-malware products.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |