Updated Kaspersky is moving to fix a bug that disabled certificate validation for 400 million users.
Discovered by Google's dogged bug-sleuth Tavis Ormandy, the flaw stems from how the company's antivirus inspects encrypted traffic.
Since it has to decrypt traffic before inspection, Kaspersky presents its certificates as a trusted authority. If a user opens Google in their browser, for example, the certificate will appear to come from Kaspersky Anti-Virus Personal Root.
The problem Ormandy identified is that those internal certificates are laughably weak. "As new leaf certificates and keys are generated, they're inserted using the first 32 bits of MD5(serialNumber||issuer) as the key ... You don't have to be a cryptographer to understand a 32bit key is not enough to prevent brute-forcing a collision in seconds. In fact, producing a collision with any other certificate is trivial," he writes here.
Ormandy's bug report gave, by way of demonstration, a collision between Hacker News and manchesterct.gov: "If you use Kaspersky Antivirus in Manchester, Connecticut and were wondering why Hacker News didn't work sometimes, it's because of a critical vulnerability that has effectively disabled SSL certificate validation for all 400 million Kaspersky users."
Kaspersky fixed the issue on December 28. ®
Update: Kaspersky has provided the following statement detailing its fixes.
Kaspersky Lab would like to assure its customers that all the vulnerabilities linked to the processing of SSL certificates recently disclosed by Google Project Zero researcher Tavis Ormandy have been successfully fixed<https://support.kaspersky.com/vulnerability.aspx?el=12430>. Our specialists have no evidence that these or any of the previously disclosed vulnerabilities have been exploited in the wild.
Products fixed include:
- Kaspersky Small Office Security for Windows
- Kaspersky Fraud Prevention for Windows
- Kaspersky Anti-Virus 2016 and 2017
- Kaspersky Internet Security for Windows 2016 and 2017
- Kaspersky Total Security for Windows 2016 and 2017
- Safe Kids for Windows 1.1
The fixes are included in auto update patches that were released on 28 December. A fix for Kaspersky Endpoint Security for Mac is included in the new version of the product. To apply the fixes, please update your products. We would like to thank Mr. Tavis Ormandy for reporting these vulnerabilities to us in a responsible manner.
The security of our customers is our top priority, which is why we take all reports about potential security issues seriously and always support the assessment of our solutions by independent researchers. Their ongoing efforts allow us to improve our products, and offer better protection to our customers. ®