Kaspersky Releases Certificate Patch
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Threat details
A function that Kaspersky uses during the key generation is that it stores the certificate within memory after being generated. It then checks to see if the certificate has been generated recently and if it finds a match this is then reused.
The new vulnerability was found in how Kaspersky’s antivirus inspects encrypted traffic. Since traffic needs to be decrypted before inspection, Kaspersky presents its certificates as a trusted authority allowing the stream to be inspected. This can be seen when a user opens a webpage in their browser, the certificate will appear to come from Kaspersky Anti-Virus Personal Root rather than the expected authority.
Research has proven that internal stored certificates are considered weak due to the keys used to index them with the database structure created in memory.
In research made available recently an example was provided where 2 different websites, when subjected to the above process, would produce exactly the same key while storing the certificate in memory leading Kaspersky to believe they are the same certificate.
Remediation steps
Last edited: 17 February 2020 11:33 am