TuneUp and services in Avast, AVG, Avira, Norton expose security vulnerabilities

The virus protection software of the Avast, AVG, Avira and Norton brands from Gen Digital includes system optimization services and other components that contain vulnerabilities. Users of the affected software should check whether they have installed newer versions than those known to be vulnerable.

Gen Digital has not yet published an overview or its own vulnerability reports with further information. Over the weekend, however, the parent company published several CVE vulnerability entries naming vulnerable versions and components.

A whole slew of vulnerable components

The individual reports name the following programs and components:

• TuneUp Service in AVG TuneUp Version 23.4 (Build 15592) (Windows 10), CVE-2024-13960 / EUVD-2024-54469, CVSS 7.8, risk "high"
• TuneupSvc.exe in AVG TuneUp 24.2.16593.9844, CVE-2024-13959 / EUVD-2024-54470, CVSS 7.8, risk "high"
• TuneupSvc in Avast Cleanup Premium Version 24.2.16593.17810 (Windows 10 Pro x64), CVE-2024-13961 / EUVD-2024-54468, CVSS 7.8, risk "high"
• TuneupSvc in Gen Digital Inc. Avast Cleanup Premium Version 24.2.16593.17810 (Windows 10 Pro x64), CVE-2024-13962 / EUVD-2024-54467, CVSS 7.8, risk "high"
• System Speedup Service in Avira Operations GmbH Avira Prime Version 1.1.96.2 (Windows 10 x64), CVE-2024-9524 / EUVD-2024-54474, CVSS 7.8, risk "high"
• NortonUtilitiesSvc in Norton Utilities Ultimate Version 24.2.16862.6344 (Windows 10 Pro x64), CVE-2024-13944 / EUVD-2024-54472, CVSS 7.8, risk "high"
• Avira.Spotlight.Service.exe in Avira Prime 1.1.96.2 (Windows 10 x64), CVE-2024-13759 / EUVD-2024-54471, CVSS 7.8, risk "high"

All but the last vulnerability are gaps through which attackers can extend their rights in the system due to unchecked consequences of shortcuts (Link Following). For most of the vulnerabilities, the description states that local attackers can execute arbitrary code in the SYSTEM context by creating a symbolic link and launching a "time-of-check time-of-use" attack. The last vulnerability listed, on the other hand, allows system rights to be obtained by deleting arbitrary files.

Although most of the CVE entries mention Windows 10 as the context, it is not clear why the software should not be vulnerable on other Windows versions. As Gen Digital is not releasing any further information, users of the vulnerable software can only check whether the versions they have installed are already newer. If necessary, they should then initiate the update process – or, if possible, uninstall the system optimization components if the components are not being used anyway.

As a rule, only products from one provider are susceptible to a particular vulnerability. However, as there are several brands under the Gen Digital umbrella, most of which also use the same software base, some problems can then also occur across brand boundaries –. For example, with elements of the TuneUp software, as can apparently be observed at present.

(dmk)