Vulnerabilities > CVE-2020-26200 - Incorrect Authorization vulnerability in Kaspersky Endpoint Security and Rescue Disk

CVSS 4.6 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

low complexity

kaspersky

CWE-863

NVD

Published: 2021-02-26

Updated: 2021-07-21

Summary

A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and was trusted by the Authentication Agent of Full Disk Encryption in Kaspersky Endpoint Security (KES). This issue allowed to bypass the UEFI Secure Boot security feature. An attacker would need physical access to the computer to exploit it. Otherwise, local administrator privileges would be required to modify the boot loader component.

Vulnerable Configurations

Part	Description	Count
Application	Kaspersky Kaspersky Endpoint Security 10 Kaspersky Endpoint Security 11.0.0 Kaspersky Endpoint Security 11.0.1 Kaspersky Endpoint Security 11.1.0 Kaspersky Rescue Disk *	6

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References