CVE-2017-9812 in Kaspersky Anti-virus
Summary
by MITRE
The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary files with kluser privileges.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/05/2025
The vulnerability identified as CVE-2017-9812 represents a critical file disclosure flaw within Kaspersky Anti-Virus for Linux File Server software. This vulnerability exists in the web interface component of the application and specifically targets the getReportStatus action method. The flaw stems from insufficient input validation and sanitization of the reportId parameter, which allows malicious actors to manipulate the parameter value to access files beyond the intended scope of the application's functionality. The vulnerability affects versions prior to Maintenance Pack 2 Critical Fix 4, specifically version 8.0.4.312, indicating that this was a known issue that required a specific patch to address the underlying security weakness.
The technical exploitation of this vulnerability occurs through improper handling of user-supplied input within the web interface. When the reportId parameter is processed by the getReportStatus method, the application fails to properly validate or sanitize the input before using it to access system files. This creates a path traversal condition that allows an attacker to specify arbitrary file paths that should normally be restricted. The vulnerability is particularly concerning because it operates with kluser privileges, indicating that the compromised application runs with elevated permissions that could potentially allow access to sensitive system files and configuration data. This weakness aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the ability to read arbitrary files on the system where Kaspersky Anti-Virus for Linux File Server is installed. This could potentially expose sensitive configuration files, user data, system logs, and other critical information that may aid in further exploitation attempts. The fact that the vulnerability operates with kluser privileges means that an attacker could potentially access files that are normally protected by system permissions, significantly expanding the attack surface and potential damage. From an adversary perspective, this vulnerability fits within ATT&CK technique T1083 (File and Directory Discovery) and T1005 (Data from Local System), as it enables unauthorized access to system files and data that would normally be restricted to authorized users.
The security implications of this vulnerability are particularly severe in enterprise environments where Kaspersky Anti-Virus for Linux File Server is deployed to protect network resources. The ability to read arbitrary files with elevated privileges could potentially expose database credentials, system configuration files, or other sensitive data that could be leveraged for privilege escalation attacks. Organizations using this software without the proper maintenance pack would be particularly vulnerable to targeted attacks where adversaries could systematically enumerate and access sensitive system information. The vulnerability demonstrates a fundamental flaw in the input validation mechanisms and highlights the importance of proper access controls and privilege separation within security applications. Remediation efforts should focus on implementing proper input validation, sanitization, and access controls to prevent path traversal attacks, with the specific fix being the installation of Maintenance Pack 2 Critical Fix 4 that addresses this exact vulnerability.