- Apr 5, 2014
The Avast and AVG vulnerabilities, which have been patched, went undiscovered for 10 years and potentially impact millions of devices, according to SentinelOne.
SentinelOne discovered two high-severity vulnerabilities affecting Avast and AVG antivirus products that have existed since 2012.
Threat detection vendor SentinelOne published a blog that disclosed the vulnerabilities on Thursday. The flaws concern Avast's anti-rootkit driver, which is used by both Avast and AVG antivirus products (Avast acquired AVG in 2016). If exploited, a threat actor could use the driver to escalate privileges to kernel level. The large number of Avast and AVG users means, as SentinelOne noted in its blog, that millions of users are theoretically vulnerable. The flaws are tracked as CVE-2022-26522 and CVE-2022-26523; full technical details are available in SentinelOne's blog post. A patch released in February, version 22.1, fixed the issue and was automatically applied to most users' Avast and AVG installations. SentinelOne advised users without automatic updates, including those running on-premises versions, to patch immediately.
Kasif Dekel, SentinelOne senior security researcher and author of the blog post, wrote that the vulnerabilities remained undiscovered for 10 years and can be exploited in multiple contexts.
"Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," he wrote. "For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities."