Core Security issued an advisory for multiple vulnerabilities it found in Kaspersky Labs' Secure Mail Gateway that if left unpatched could lead to administrative account takeover.
Core Security researchers found that the Kaspersky Secure Mail Gateway, which is a virtual appliance deployed inside an organisation's network infrastructure that comes bundled with a Web Management Console that monitor the apps operation. However, the console “provides no cross-site request forgery protection site-wide, which could result in administrative account takeover.”
“Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root,” Core Security wrote.
Core Security first came across the issues in September 2017 and notified Kaspersky. After months of going back and forth Core settled on posting the advisory on 1 February and included a link to the update.
“We thank Core Security Technologies for reporting these vulnerabilities to us. The security of our customers is a key priority and we take independent research very seriously,” Kaspersky told SC Media in an emailed statement, adding, “Kaspersky Lab recommends that all customers using Kaspersky Secure Mail Gateway 1.1 should upgrade to the new version: Kaspersky Secure Mail Gateway 1.1 MR1.”