CVE-2018-6306 in Password Manager
Summary
by MITRE
Unauthorized code execution from specific DLL and is known as DLL Hijacking attack in Kaspersky Password Manager versions before 8.0.6.538.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/30/2020
The vulnerability identified as CVE-2018-6306 represents a critical security flaw in Kaspersky Password Manager versions prior to 8.0.6.538, specifically manifesting as a DLL hijacking attack vector that enables unauthorized code execution. This vulnerability exploits the insecure loading mechanism of dynamic link libraries within the software's runtime environment, creating a pathway for malicious actors to execute arbitrary code with the privileges of the targeted application. The flaw stems from the application's failure to properly validate and authenticate the source of dynamically loaded libraries, allowing attackers to place malicious DLL files in strategic locations where the application expects legitimate system libraries to reside.
The technical implementation of this vulnerability follows the classic DLL hijacking pattern where the target application searches for required libraries in a predetermined order of directories without sufficient validation of library authenticity. When a malicious DLL is placed in a directory that is searched before the legitimate system directories, the application loads the attacker-controlled library instead of the intended system component. This behavior is particularly dangerous in password management applications where the software typically runs with elevated privileges and has access to sensitive user credentials and personal data. The vulnerability specifically affects versions before 8.0.6.538, indicating that Kaspersky had not yet implemented proper DLL loading security measures to prevent this type of attack.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with a potential foothold for more sophisticated attacks within the victim's system. Since password managers handle highly sensitive information including user credentials, account details, and encrypted data, successful exploitation could lead to complete compromise of user accounts and unauthorized access to critical personal and corporate information. The attack requires minimal privileges to succeed, as the malicious DLL can be placed in a location accessible to the application, making it particularly dangerous for systems where users may have limited administrative rights but still run applications that are vulnerable to this type of attack. This vulnerability aligns with the CWE-427 weakness classification, which specifically addresses uncontrolled search path in security contexts, and can be mapped to ATT&CK technique T1059.001 for execution through dynamic-link libraries.
Mitigation strategies for CVE-2018-6306 require immediate patching of affected Kaspersky Password Manager installations to version 8.0.6.538 or later, which includes proper DLL loading security measures. Organizations should implement additional protective measures such as enforcing strict directory permissions, using application whitelisting solutions, and monitoring for unauthorized DLL placements in system directories. The security community should also consider implementing runtime application control measures that prevent the loading of DLLs from non-standard or untrusted locations. System administrators should conduct thorough audits of installed software to identify other vulnerable applications that may be susceptible to similar DLL hijacking attacks, particularly those that load libraries without proper validation mechanisms. Regular security assessments and vulnerability scanning should be performed to detect and remediate similar issues in other software applications within the enterprise environment, as this type of vulnerability is commonly found in legacy applications that have not been updated with modern security practices.