A serious security vulnerability has been detected in Kaspersky’s TLS Interception Tool. It’s Google’s Project Zero security researcher, Tavis Ormandy, who has found this rather puzzling vulnerability. This vulnerability issue that Tavis Ormandy has detected lies with Kaspersky’s interception of HTTPS traffic with its own certificate in order to scan for web threats.
Explaining the vulnerability
Tavis Ormandy explains that Kaspersky antivirus installs its own root certificate on a computer, that too not in a well-protected manner. Then it would replace all visited websites’ certificates with its own generated leaf certificates. This is the general expected behavior for web scanning tools. The Google Information Security Engineer discovered that Kaspersky was re-using 32-bit keys for its leaf certificates. Thus it would become easy for an outside attacker to brute force a collision, which would help him intercept the traffic of multiple websites as and when users of Kaspersky would access them. The result would be that the users would either be unable to connect to the websites or else the websites would become unencrypted HTTP connections, thereby helping hackers intercept connections and communications. All this because of this particular bug!
Tavis Ormandy gives an explanation of how the attack happens-
“The attack goes like this:
Mallory wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef.
Mallory sends you the real leaf certificate for mail.google.com, which Kaspersky validates and then generates it’s own certificate and key for.
On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (lets say attacker.com)
Now Mallory redirects DNS for mail.google.com to attacker.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com.”
He adds- “It seems incredible that Kaspersky haven’t noticed that they sometimes get certificate errors for mismatching commonNames just by random chance. When they get those errors, it’s only because an active attacker didn’t fixup DNS responses that they’re not giving remote websites access to other domain owners.”
Ormandy, however, says that since Google uses QUIC, its new open source encrypted transport protocol, for its own services, Kaspersky is not able to decrypt Google services connections in Chrome, but with Firefox and other internet browsers, this is not the case. There it can be decrypted.
Anyhow, the vulnerability was reported to Kaspersky and it has been fixed as well.
The bottom line of the discussion on this particular vulnerability is that though it’s always good to have an antivirus software installed on the system, it’s also good to go for specialized anti-exploit tools and technologies like sandboxing and other virtualization technologies. PC protection is always of critical importance, hence it has to be understood that while an antivirus program protects us from malware in certain ways, there are instances when we need to do more for PC protection.