New Update High-Severity Flaws in Avast, AVG

omidomi · May 7, 2022

The Avast and AVG vulnerabilities, which have been patched, went undiscovered for 10 years and potentially impact millions of devices, according to SentinelOne.

SentinelOne discovered two high-severity vulnerabilities affecting Avast and AVG antivirus products that have existed since 2012.

Threat detection vendor SentinelOne published a blog that disclosed the vulnerabilities on Thursday. The flaws concern Avast's anti-rootkit driver, which is used by both Avast and AVG antivirus products (Avast acquired AVG in 2016). If exploited, a threat actor could use the driver to escalate privileges to kernel level. The large number of Avast and AVG users means, as SentinelOne noted in its blog, that millions of users are theoretically vulnerable. The flaws are tracked as CVE-2022-26522 and CVE-2022-26523; full technical details are available in SentinelOne's blog post. A patch released in February, version 22.1, fixed the issue and was automatically applied to most users' Avast and AVG installations. SentinelOne advised users without automatic updates, including those running on-premises versions, to patch immediately.

Kasif Dekel, SentinelOne senior security researcher and author of the blog post, wrote that the vulnerabilities remained undiscovered for 10 years and can be exploited in multiple contexts.

"Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," he wrote. "For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities."

omidomi · May 7, 2022

This is why I said don't Trust & Use Junkwares....

ForgottenSeer 94943 · May 7, 2022

omidomi said:
This is why I said don't Trust & Use Junkwares....

Bullguard, Trend Micro had vulnerabilities affecting their products. Every software has vulnerabilities in their code. Calling a product a junkware for it has vulnerabilities is not right. Besides some privacy concerns, Avast and AVG offer great protection especially when hardened mode is activated.

Kiss · May 7, 2022

Avast is a joke

omidomi · May 8, 2022

Lament said:
Bullguard, Trend Micro had vulnerabilities affecting their products. Every software has vulnerabilities in their code. Calling a product a junkware for it has vulnerabilities is not right. Besides some privacy concerns, Avast and AVG offer great protection especially when hardened mode is activated.

Fixing a bug After 10 years is a little more than normal....

upnorth · May 8, 2022

Lament said:
Every software has vulnerabilities in their code.

True, but these very serious ones that sadly was available for 10 years, along with other serious issues that even been abused and used by genuine ransomware in the wild

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html

malwaretips.com

is impossible now to try downplay or avoid no matter how much Avast/AVG or some of their users may wish. Try telling everyone in their official statements that all this already been " responsible disclosed " several months ago is far from impressive as now it finally is being fully informed and shared, by responsible news sources and researchers.

Personal I thought this company would have learned their lessons by now from previous less positive spotlight headlines in the news over the years. Sticking the head in the sand and pretend as few as possible will see and notice serious problems, don't work as these reports from SentinelOne and TrendMicro clearly shows. Bite the sour lemon instead and acknowledge the fumble in a better way as other companies can and have done. I wouldn't be too surprised if we pretty soon will see even more reports and articles.

HarborFront · May 8, 2022

Based on here the problem has been solved

Yours Truly, Signed AV Driver: Weaponizing an Antivirus Driver | Aon

As we head into 2022, ransomware groups continue to plague our digital environment with new and interesting techniques to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) solutions and ensuring the successful execution of their ransomware payloads. In December 2021, Stroz...

www.aon.com

Avast responded to our notification with this statement:

"We can confirm the vulnerability in an old version of our driver aswArPot.sys, which we fixed in our Avast 21.5 released in June 2021. We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so the old version of the Avast driver can't be loaded to memory.

The below example shows that the blocking works (output from the "sc start" command):

(SC) StartService FAILED 1275:

This driver has been blocked from loading

The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft's security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack.

All consumer and business antivirus versions of Avast and AVG detect and block this AvosLocker ransomware variant, so our users are protected from this attack vector.

For users of third-party antivirus software, to stay protected against this vulnerability, we recommend users to update their Windows operating system with the latest security updates, and to use a fully updated antivirus program."

Andy Ful · May 9, 2022

Most Windows drivers (including AV drivers) can have hidden vulnerabilities. The vulnerability can be hidden for years until someone discovers it. The case of Avast is only an example. The attackers chose Avast because it is a very popular AV. This does not mean that similar vulnerabilities are absent in other less popular AVs. Here is a fragment of the book "A Guide to Kernel Exploitation: Attacking the Core" published in the year 2011:

Actually, a lot of write-what-where vulnerabilities have been found in many third-party drivers, not excluding security products like AVs and Host IDSs.

The main problem is not in Avast but in the fact that well signed drivers can be used to attack the kernel. This particular driver could be used to attack users who never installed Avast. The same is true for any well signed but vulnerable driver (there are many such drivers). On Windows 10+, such drivers can be blocked by the system (Microsoft has done this after Avast's request). On other Windows versions, such known drivers can be blacklisted by AV vendors.

Generally, AVs are very complex software and have to have a relatively large attack surface:

POC 2019 - HUNTING VULNERABILITY IN ANTIVIRUS PRODUCTS

A presentation in Power of Community 2019 held in South Korea with topic hunting vulnerability in Antivirus products.

speakerdeck.com

Despite these well known issues, the AV is still the best security solution for most people. It is like Democracy - has got many issues, but no one invented a better solution (so far).

Andy Ful · May 9, 2022

One can use online services to find the vulnerabilities found in popular AVs. For example:

Avast Vulnerabilities

Number one vulnerability management and threat intelligence platform documenting and explaining vulnerabilities since 1970.

vuldb.com

Bitdefender Vulnerabilities

Number one vulnerability management and threat intelligence platform documenting and explaining vulnerabilities since 1970.

vuldb.com

F-secure Vulnerabilities

Number one vulnerability management and threat intelligence platform documenting and explaining vulnerabilities since 1970.

vuldb.com

etc.

Only a few AV vulnerabilities were exploited in the wild (in highly targeted attacks).
The vuldb.com website requires free login after a few tries.

Another good source is:

Known Exploited Vulnerabilities Catalog | CISA

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV...

www.cisa.gov

The catalog can be searched by the AV vendor. The search for Avast returned 0 matches, so if Avast's vulnerabilities were exploited, these cases were very rare. The search for Microsoft Defender returned 2 vulnerabilities, McAfee - 1, Trend Micro (OfficeScan, Apex One, etc.) - total 8 vulnerabilities.

Post edited.

blackice · May 9, 2022

Not to mention Microsoft's own Defender has had bugs that lasted a decade plus as well. Software is far too complicated these days to be bug free. It's always a game of whack-a-mole.

Search

New Update High-Severity Flaws in Avast, AVG

omidomi

Level 71

omidomi

Level 71

ForgottenSeer 94943

Kiss

Level 4

omidomi

Level 71

upnorth

Level 68

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

HarborFront

Level 72

Yours Truly, Signed AV Driver: Weaponizing an Antivirus Driver | Aon

Andy Ful

From Hard_Configurator Tools

POC 2019 - HUNTING VULNERABILITY IN ANTIVIRUS PRODUCTS

Andy Ful

From Hard_Configurator Tools

Avast Vulnerabilities

Bitdefender Vulnerabilities

F-secure Vulnerabilities

Known Exploited Vulnerabilities Catalog | CISA

blackice

Level 39

Similar threads