The flaw has since been fixed after being discovered by Google’s Project Zero researcher Tavis Ormandy
A major security flaw in Kaspersky Lab’s antivirus product which effectively disabled SSL certificate validation for 400 million users, has been uncovered by Google security researchers.
Writing on Google’s Project Zero issue tracker, researcher Tavis Ormandy explains how Kaspersky was inserting its own certificate as a trusted authority by intercepting all outgoing HTTPS connections during the inspection of encrypted data.
The issue was that those certificates only used the first 32 bits of MD5 as the key in its SSL proxy, making them too weak to provide an adequate defence.
“Kaspersky’s certificate interception has previously resulted in serious vulnerabilities, but quick review finds many simple problems still exist. for example, the way leaf certificates are cached uses an extremely naive fingerprinting technique,” writes Ormandy.
“Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection.
“You don’t have to be a cryptographer to understand a 32bit key is not enough to prevent brute-forcing a collision in seconds. In fact, producing a collision with any other certificate is trivial.”
Ormandy reported the “critical” bug on November 1, receiving confirmation from Kaspersky that it would be fixed “in the nearest future”. The issue was eventually resolved on December 28.
We contacted Kaspersky Lab for comment and received the following statement: “Kaspersky Lab would like to assure its customers that all the vulnerabilities linked to the processing of SSL certificates recently disclosed by Google Project Zero researcher Tavis Ormandy have been successfully fixed. Our specialists have no evidence that these or any of the previously disclosed vulnerabilities have been exploited in the wild.
“We would like to thank Mr. Tavis Ormandy for reporting these vulnerabilities to us in a responsible manner. The security of our customers is our top priority, which is why we take all reports about potential security issues seriously and always support the assessment of our solutions by independent researchers.”