A further local denial of service attack is possible through Kaspersky’s KL1 driver. A malicious user can send a specially crafted IOCTL call to the KL1 driver. Under certain conditions, this can causing the driver to read memory outside of an allocated buffer. This may provoke a memory access violation resulting in a system crash.

Under certain circumstances a specially crafted IOCTL call can be used to leak kernel memory content to the userland via a weak implementation of the KlDiskCtl service in the kldisk.sys driver. An attacker might leverage this to get security relevant information from the kernel address space and combine this knowledge with other vulnerabilities to exploit the local system e.g. subverting security features like address space layout randomization (ASLR).

The vulnerabilities affect Kaspersky Internet Security 16.0.0, KLIF driver version, but may affect other versions of the software too. Since anti-virus software runs with low level privileges on any system, vulnerabilities in these software are potentially very interesting for attackers. Although these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched.

More details can be found in the following vulnerability reports: