Vulnerability Description
A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and was trusted by the Authentication Agent of Full Disk Encryption in Kaspersky Endpoint Security (KES). This issue allowed to bypass the UEFI Secure Boot security feature. An attacker would need physical access to the computer to exploit it. Otherwise, local administrator privileges would be required to modify the boot loader component.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kaspersky | Endpoint Security | 10 |
| Kaspersky | Rescue Disk | < 18.0.11.3 |
Related Weaknesses (CWE)
References
- https://support.kaspersky.com/general/vulnerability.aspx?el=12430#170221Broken Link
- https://github.com/CVEProject/cvelist/blob/master/2020/26xxx/CVE-2020-26200.jsonThird Party Advisory
- https://support.kaspersky.com/general/vulnerability.aspx?el=12430#170221Broken Link
FAQ
What is CVE-2020-26200?
CVE-2020-26200 is a vulnerability with a CVSS score of 6.8 (MEDIUM). A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and...
How severe is CVE-2020-26200?
CVE-2020-26200 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26200?
Check the references section above for vendor advisories and patch information. Affected products include: Kaspersky Endpoint Security, Kaspersky Rescue Disk.