SSL certificate validation flaw discovered in Kaspersky AV software

Tavis Ormandy continues his war on buggy antivirus software, as the Google Project Zero researcher reported two serious vulnerabilities, including an SSL certificate validation flaw, in Kaspersky Lab's popular antivirus offering.

Ormandy reported the vulnerabilities to the vendor in November, and Kaspersky released fixes for both on Dec. 28, though publication of the flaws was "slightly delayed due to the holidays," according to the issue reports.

The more serious of the two vulnerabilities, which is rated critical by Project Zero, involves an SSL certificate validation bug that allows an attacker to easily execute man-in-the-middle attacks by brute-forcing a collision between a valid certificate and a malicious certificate.

The problem arises because Kaspersky tracks the active SSL and Transport Layer Security certificates on the local system by generating a key from the first 32 bits of an MD5 hash of each certificate. This allows an attacker to defeat SSL certificate validation by replacing a valid certificate with a malicious one, in which the first 32 bits of the certificate hash match the valid certificate.

An attacker can, for example, intercept all traffic between the victim and Google's mail service by first sending the real certificate for mail.google.com. The Kaspersky program does SSL certificate validation and then creates its own 32-bit key from the real certificate's MD5 hash. On the next connection to mail.google.com, the attacker can send a certificate for "attacker.com," whose certificate generates the same 32-bit MD5 hash as the valid certificate, Ormandy wrote on the Project Zero issue tracker. If the attacker "redirects domain name system requests for mail.google.com to attacker.com, Kaspersky starts using [its] cached certificate and the attacker has complete control of mail.google.com."

"Just for fun, I searched the Certificate Transparency logs for some collisions," Ormandy wrote. Starting with the certificate for the Hacker News website, he found a key collision with the Manchester, Conn., government website. "You can reproduce this bug by visiting https://autodiscover.manchesterct.gov, then https://news.ycombinator.com and observing that the content is signed by the wrong certificate."

"So, if you use Kaspersky Antivirus in Manchester, Connecticut, and were wondering why Hacker News didn't work sometimes," Ormandy wrote, "it's because of a critical vulnerability that has effectively disabled SSL certificate validation for all 400 million Kaspersky users."

The second vulnerability, listed with a severity rating of "high," involves inadequate protection for certificate authority root certificates within Kaspersky's software. This vulnerability allows an unprivileged user to function as a trusted certificate authority on the target system.

This is not the first time Ormandy and Google Project Zero have uncovered surprisingly serious flaws in widely used antivirus software. Last May, Project Zero reported Symantec antivirus products were subject to a kernel memory corruption attack requiring no user interaction. "This is about as bad as it can possibly get," Ormandy wrote of the flaw.

Last September, Project Zero reported more critical vulnerabilities in Symantec's antivirus software related to the use of unpatched open source code. Kaspersky Antivirus also previously received attention from Project Zero in 2015 for a number of bugs leading to memory corruption that occurred when parsing crafted malicious files using several different formats.