Update High-Severity Flaws in Avast, AVG

omidomi

Level 70
Thread author
Verified
Helper
Top poster
Malware Hunter
Well-known
Apr 5, 2014
5,998
The Avast and AVG vulnerabilities, which have been patched, went undiscovered for 10 years and potentially impact millions of devices, according to SentinelOne.
SentinelOne discovered two high-severity vulnerabilities affecting Avast and AVG antivirus products that have existed since 2012.

Threat detection vendor SentinelOne published a blog that disclosed the vulnerabilities on Thursday. The flaws concern Avast's anti-rootkit driver, which is used by both Avast and AVG antivirus products (Avast acquired AVG in 2016). If exploited, a threat actor could use the driver to escalate privileges to kernel level. The large number of Avast and AVG users means, as SentinelOne noted in its blog, that millions of users are theoretically vulnerable. The flaws are tracked as CVE-2022-26522 and CVE-2022-26523; full technical details are available in SentinelOne's blog post. A patch released in February, version 22.1, fixed the issue and was automatically applied to most users' Avast and AVG installations. SentinelOne advised users without automatic updates, including those running on-premises versions, to patch immediately.

Kasif Dekel, SentinelOne senior security researcher and author of the blog post, wrote that the vulnerabilities remained undiscovered for 10 years and can be exploited in multiple contexts.

"Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," he wrote. "For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities."
 

omidomi

Level 70
Thread author
Verified
Helper
Top poster
Malware Hunter
Well-known
Apr 5, 2014
5,998
Bullguard, Trend Micro had vulnerabilities affecting their products. Every software has vulnerabilities in their code. Calling a product a junkware for it has vulnerabilities is not right. Besides some privacy concerns, Avast and AVG offer great protection especially when hardened mode is activated.
Fixing a bug After 10 years is a little more than normal....:rolleyes:
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,879
Every software has vulnerabilities in their code.
True, but these very serious ones that sadly was available for 10 years, along with other serious issues that even been abused and used by genuine ransomware in the wild


is impossible now to try downplay or avoid no matter how much Avast/AVG or some of their users may wish. Try telling everyone in their official statements that all this already been " responsible disclosed " several months ago is far from impressive as now it finally is being fully informed and shared, by responsible news sources and researchers.

Personal I thought this company would have learned their lessons by now from previous less positive spotlight headlines in the news over the years. Sticking the head in the sand and pretend as few as possible will see and notice serious problems, don't work as these reports from SentinelOne and TrendMicro clearly shows. Bite the sour lemon instead and acknowledge the fumble in a better way as other companies can and have done. I wouldn't be too surprised if we pretty soon will see even more reports and articles.
 

HarborFront

Level 61
Verified
Top poster
Content Creator
Oct 9, 2016
5,086
Based on here the problem has been solved


Avast responded to our notification with this statement:

"We can confirm the vulnerability in an old version of our driver aswArPot.sys, which we fixed in our Avast 21.5 released in June 2021. We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so the old version of the Avast driver can't be loaded to memory.

The below example shows that the blocking works (output from the "sc start" command):


(SC) StartService FAILED 1275:

This driver has been blocked from loading

The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft's security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack.

All consumer and business antivirus versions of Avast and AVG detect and block this AvosLocker ransomware variant, so our users are protected from this attack vector.

For users of third-party antivirus software, to stay protected against this vulnerability, we recommend users to update their Windows operating system with the latest security updates, and to use a fully updated antivirus program."
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
Most Windows drivers (including AV drivers) can have hidden vulnerabilities. The vulnerability can be hidden for years until someone discovers it. The case of Avast is only an example. The attackers chose Avast because it is a very popular AV. This does not mean that similar vulnerabilities are absent in other less popular AVs. Here is a fragment of the book "A Guide to Kernel Exploitation: Attacking the Core" published in the year 2011:
Actually, a lot of write-what-where vulnerabilities have been found in many third-party drivers, not excluding security products like AVs and Host IDSs.

The main problem is not in Avast but in the fact that well signed drivers can be used to attack the kernel. This particular driver could be used to attack users who never installed Avast. The same is true for any well signed but vulnerable driver (there are many such drivers). On Windows 10+, such drivers can be blocked by the system (Microsoft has done this after Avast's request). On other Windows versions, such known drivers can be blacklisted by AV vendors.

Generally, AVs are very complex software and have to have a relatively large attack surface:

1652082355992.png



Despite these well known issues, the AV is still the best security solution for most people. It is like Democracy - has got many issues, but no one invented a better solution (so far).:)
 
Last edited:

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
One can use online services to find the vulnerabilities found in popular AVs. For example:
etc.

Only a few AV vulnerabilities were exploited in the wild (in highly targeted attacks).
The vuldb.com website requires free login after a few tries.

Another good source is:
The catalog can be searched by the AV vendor. The search for Avast returned 0 matches, so if Avast's vulnerabilities were exploited, these cases were very rare. The search for Microsoft Defender returned 2 vulnerabilities, McAfee - 1, Trend Micro (OfficeScan, Apex One, etc.) - total 8 vulnerabilities.

Post edited.
 
Last edited: