CVE-2020-27020

Name of the Vulnerable Software and Affected Versions Kaspersky Password Manager (affected versions not specified)

Description The password generator feature in Kaspersky Password Manager was not completely cryptographically strong, potentially allowing an attacker to predict generated passwords in some cases. An attacker would need to know some additional information, such as the time of password generation. The implementation used a pseudorandom number generator (PRNG) that generated passwords based on the current system time in seconds, resulting in the same password being generated by every instance of KPM at the same second. It is estimated that KPM could generate around 31.5 million passwords in a year, which could be brute-forced in minutes, especially if the attacker knows the approximate time of account creation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.