CVE-2021-35052
📋 TL;DR
This vulnerability in Kaspersky Password Manager allows attackers to elevate process integrity levels from Medium to High, potentially gaining unauthorized access to sensitive data. It affects users of Kaspersky Password Manager on Windows systems. The exploit requires local access to the target system.
💻 Affected Systems
- Kaspersky Password Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain high-integrity access to the password manager, potentially extracting stored credentials, authentication tokens, and sensitive user data.
Likely Case
Local attackers could escalate privileges to access password manager data they shouldn't have access to, compromising stored credentials.
If Mitigated
With proper access controls and updated software, the risk is limited to authorized users with local access attempting privilege escalation.
🎯 Exploit Status
Exploitation requires local access to the system. No public proof-of-concept has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.1.772 and later
Vendor Advisory: https://support.kaspersky.com/general/vulnerability.aspx?el=12430#221121
Restart Required: Yes
Instructions:
1. Open Kaspersky Password Manager. 2. Check for updates in settings. 3. Update to version 9.2.1.772 or later. 4. Restart the application and system if prompted.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit physical and remote local access to systems running Kaspersky Password Manager
Use Standard User Accounts
windowsRun Kaspersky Password Manager with standard user privileges instead of administrative rights
🧯 If You Can't Patch
- Implement strict access controls to limit who has local access to affected systems
- Monitor for unusual process integrity level changes and access to password manager processes
🔍 How to Verify
Check if Vulnerable:
Check Kaspersky Password Manager version in the application settings or About sectionCheck Version:
Not applicable - check through application GUIVerify Fix Applied:
Verify version is 9.2.1.772 or higher in application settings📡 Detection & Monitoring
Log Indicators:
- Unusual process integrity level escalations
- Unexpected access to Kaspersky Password Manager processes
Network Indicators:
- Local privilege escalation attempts typically don't generate network traffic
SIEM Query:
Process creation events where integrity level changes from Medium to High for Kaspersky processes