Critical Flaws In Avast And Avg Antivirus Enable Privilege Escalation

The present article provides an overview of the critical vulnerabilities discovered in Avast and AVG antivirus products, namely CVE-2022-26522 and CVE-2022-26523. These vulnerabilities enable attackers to escalate privileges and disable security features, potentially compromising the integrity and functionality of the operating system. The flaws primarily exist in the anti-rootkit kernel driver and the aswArPot.sys driver, allowing non-administrator users to elevate their privileges and potentially causing system crashes and errors, including the blue screen of death. Furthermore, a second vulnerability in the aswArPot+0xbb94 function can lead to a second-stage browser attack by exploiting the sandbox. With millions of Avast and AVG users affected, a patch (version 22.1) will be automatically delivered to address these vulnerabilities. Immediate application of the patch is crucial, particularly for on-premise or air-gapped installations. Coordinated disclosure and a bug bounty program have been implemented to prevent attacks and encourage vulnerability reporting. System security is emphasized to be enhanced through the timely application of patches and active participation in bug bounty programs.

Key Takeaways

• Vulnerabilities in Avast and AVG antivirus products (CVE-2022-26522 and CVE-2022-26523) allow privilege escalation and disabling of security products, potentially leading to the corruption of the operating system and malicious operations.
• Flaws in the anti-rootkit kernel driver, particularly in the aswArPot.sys driver and socket connection handler, enable non-administrator users to escalate privileges, potentially causing system crashes and the blue screen of death error.
• A second vulnerability in the aswArPot+0xbb94 function (CVE-2022-26523) can lead to a second-stage browser attack by exploiting the sandbox, allowing the attacker to escape flaws.
• Millions of Avast and AVG users are affected, and a patch (version 22.1) will be automatically delivered. On-premise or air-gapped installations should apply the patch immediately. Coordinated disclosure and a bug bounty program are in place to prevent attacks and encourage the reporting of vulnerabilities.

Vulnerabilities in Avast and AVG

The vulnerabilities in Avast and AVG antivirus products, tracked as CVE-2022-26522 and CVE-2022-26523 and discovered by Kasif Dekel, allow for privilege escalation and disabling of security products, potentially leading to the corruption of the operating system and the execution of malicious operations. These vulnerabilities pose a significant risk to the millions of Avast and AVG users. Potential exploits include the exploitation of flaws in the anti-rootkit kernel driver, which can result in the escalation of privileges for non-administrator users. Additionally, a second vulnerability in the aswArPot+0xbb94 function allows for a second-stage browser attack by escaping the sandbox. To mitigate these risks, it is crucial for users to apply the patch (version 22.1) as soon as possible. Patching is of utmost importance for system security and helps prevent the exploitation of these critical flaws. Furthermore, coordinated disclosure and bug bounty programs play a vital role in protecting users and encouraging the reporting of vulnerabilities.

Flaws in anti-rootkit kernel driver

Bugs have been identified in the anti-rootkit kernel driver, specifically in the aswArPot.sys driver and the socket connection handler. These vulnerabilities in Avast and AVG antivirus products allow non-administrator users to escalate privileges, potentially leading to system crashes and errors. The flaws in the aswArPot.sys driver can result in a blue screen of death error, while the vulnerability in the socket connection handler can be exploited for malicious operations. The exploitation methods include privilege escalation and disabling of security products. These flaws raise system stability concerns as they have the potential to corrupt the operating system and perform malicious operations. It is crucial to address these vulnerabilities promptly by applying the patch to ensure system security and prevent exploitation.

Second vulnerability in aswArPot+0xbb94 function

Exploiting a vulnerability in the aswArPot+0xbb94 function could enable an attacker to execute a second-stage browser attack by escaping the sandbox and bypassing existing flaws. This second vulnerability, tracked as CVE-2022-26523, allows for the exploitation of privilege escalation. By leveraging this flaw, an attacker can escalate their privileges and potentially disable antivirus applications. The sandbox escape technique utilized in this attack enables the attacker to evade the security measures in place and perform malicious operations. This poses a significant threat to the affected Avast and AVG antivirus users, as it increases the potential for system compromise and the execution of further attacks. It is crucial for users to apply the patch (version 22.1) promptly to mitigate the risks associated with these vulnerabilities. Coordinated disclosure and bug bounty programs play a vital role in preventing such attacks and promoting system security.

Impact on users

The impact on users of the vulnerabilities in Avast and AVG antivirus products is extensive, affecting millions of users who should promptly apply the patch (version 22.1) to prevent potential system compromise and the execution of further attacks.

• Urgency of patching for system security:

• The vulnerabilities discovered in Avast and AVG antivirus products pose a significant risk to the security of users‘ systems. Promptly applying the patch is crucial to prevent potential exploitation of these flaws and protect against malicious activities.

• Patching vulnerabilities helps ensure that users‘ systems are not vulnerable to attacks that could lead to the compromise of sensitive information or the disruption of normal system operations.

• Importance of coordinated disclosure:

• Coordinated disclosure of vulnerabilities plays a vital role in safeguarding users‘ systems. By disclosing these flaws responsibly, security researchers and software vendors can work together to develop and deploy patches that address the vulnerabilities effectively.

• Coordinated disclosure helps minimize the window of opportunity for attackers, reducing the likelihood of widespread exploitation and protecting users from potential harm.

Follow-up actions

Coordinated disclosure and bug bounty programs are important components in addressing vulnerabilities and ensuring the security of users‘ systems. These programs play a crucial role in identifying and mitigating flaws in software applications. By encouraging researchers and ethical hackers to report vulnerabilities, bug bounty programs create a collaborative environment where potential risks can be identified and addressed promptly. In the case of the critical flaws discovered in Avast and AVG antivirus products, the bug bounty program serves as an avenue for reporting the vulnerabilities. This allows the developers to take immediate action and deliver the necessary patches to users. By actively engaging in coordinated disclosure and bug bounty programs, organizations can enhance system stability and strengthen their overall security posture.

Frequently Asked Questions

How were the vulnerabilities in Avast and AVG antivirus products discovered and disclosed?

The vulnerabilities in Avast and AVG antivirus products were discovered and disclosed through the efforts of Kasif Dekel. The specific methods used to discover these vulnerabilities have not been provided in the given information. The disclosure process for these vulnerabilities involves tracking them as CVE-2022-26522 and CVE-2022-26523, which allows for privilege escalation and disabling of security products.

What is the impact of the flaws in the anti-rootkit kernel driver?

The flaws in the anti-rootkit kernel driver can have a significant impact on privilege escalation and consequences for users. Non-administrator users can escalate privileges, leading to system crashes and errors, including the possibility of a blue screen of death. Additionally, the vulnerabilities can be exploited to disable antivirus applications and perform malicious operations, such as second-stage browser attacks through sandbox escape. These consequences highlight the importance of promptly applying the patch to protect system security.

How does the second vulnerability in the aswArPot+0xbb94 function differ from the first vulnerability?

The second vulnerability in the aswArPot+0xbb94 function differs from the first vulnerability in that it allows for a second-stage browser attack and exploitation of the sandbox to escape flaws. This poses potential consequences for affected users in terms of compromised browser security and increased vulnerability to malicious activities.

What are the potential consequences for users affected by these vulnerabilities?

The potential consequences for users affected by these vulnerabilities include privilege escalation, disabling of security products, system crashes, blue screen of death errors, operating system corruption, and the potential for malicious operations and browser attacks. User impact is significant and widespread.

What are the recommended mitigation measures for addressing these critical flaws?

Mitigation measures for addressing these critical flaws include applying the patch as soon as possible, particularly for on-premise or air-gapped installations. Coordinated disclosure and participation in the bug bounty program are also recommended security measures.