Vulnerability discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

Overview

Talos is disclosing the presence of TALOS-2016-0175 / CVE-2016-4329, a local denial of service vulnerability within Kaspersky anti-virus. A system user is able to cause a denial of service attack against Kaspersky’s avpui.exe process by executing malicious code on a system. As a result, avpui.exe process protected by Kaspersky Self-Protection dies.

The vulnerability can only be exploited by a user who is already present on the system. Nevertheless, such a vulnerability potentially may be exploited by a malicious user who wished to cause anti-virus scanning to stop informing users about potential malicious activities. This may comprise a step in a longer sequence of malicious activity. Administrators should ensure that the latest version of Kaspersky is installed to remove the vulnerability.

As part of our commitment to responsible disclosure, on discovering the vulnerabilities we notified Kasperksy. We have ensured that a patch to remedy the vulnerabilities was available before publication.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.