The vulnerability was discovered in a specialized solution for embedded systems installed on an ATM - and has been promptly fixed by the vendor
Georgy Zaytsev, a Positive Technologies researcher, discovered the vulnerability in the Application Control component of Kaspersky Embedded Systems Security 1.1 and 1.2 during a security audit of an ATM running KESS. Its exploitation could potentially enable an attacker to install unknown software on the ATM and ultimately withdraw all cash. Kaspersky Lab promptly issued a security patch.
From a technical standpoint, exploitation of this vulnerability enabled an attacker to overload Kaspersky Embedded Systems Security to the point of making it unable to process requests for verification of files being opened within the allotted time. This, in turn, allowed the attacker to start any applications on the ATM bypassing the whitelist, for example run executable files from a flash drive or using the network in order to escalate privileges on the system, infect it, or just withdraw all cash.
"The whitelist principle allows only trusted applications to run on a device. The vulnerability in Application Control opened up two ways of bypassing the restriction and opening the file that the attacker needed. The first one implied adding a large amount of any insignificant data at the end of an executable file. The attacker then had to run the file twice. When the file is first started, the system computes its hash, or identifier, used to decide whether to allow or block the operation. With a large file, the process takes longer than the time allotted for verification. So when it runs out, the file is started," says Georgy Zaytsev.
Because the solution allows saving results in order not to recompute the hash when the file is started again, this method only works when the file is started for the first time.
"The second method allowed bypassing this restriction and consisted in opening multiple instances of the application simultaneously. This also caused the application to hang, roughly speaking, and as a result allowed the attacker to start an unauthorized file," says Georgy Zaytsev.
Kaspersky Lab has already issued a patch to fix the vulnerability in current versions of the solution. The same patch also addresses another vulnerability discovered by Positive Technologies researchers that allowed disabling the Application Control functionality by sending a special request to the klif.sys driver. The latest version of the solution, Kaspersky Embedded Systems Security 2.0, does not contain these vulnerabilities.
"With latest patch available since 23 June, customers using Kaspersky Embedded Systems Security are protected against the vulnerabilities that have been reported to us by Positive Technologies. Customer security has always been a top priority for us, so that we can help protect what matters most to them. We would like to thank Positive Technologies for reporting these vulnerabilities to us in a responsible manner. Kaspersky Lab recognizes the value security researchers add when they disclose vulnerabilities to vendors directly, and our bug bounty program – by offering rewards for discovering vulnerabilities – serves as a testament to our dedication to continuously improve the resiliency of our products.” comments Kaspersky Lab spokesperson.
This is not the first issue that Positive Technologies researchers have discovered in ATM security software. In the winter of 2016, they detected a dangerous vulnerability in the Solidcore system included in McAfee Application Control (MAC).