Avast Antivirus: Attackers can escalate privileges through vulnerability

Avast Antivirus allowed malicious actors to extend their rights in the system due to a security vulnerability. Updated software is available and ideally should have already been distributed via the automatic update mechanism.

There is nothing about this vulnerability in Norton's security bulletin listing (Avast, Avira, AVG and Norton Security products are now grouped under this Gen Digital Inc. brand), but NortonLifeLock as CNA has created a corresponding CVE entry. According to this, it is a bug in the repair function of Avast Antivirus.

Symlinks lead to privilege escalation

Attackers with low privileges in the system can create a pseudo symlink and a directory redirection (junction) to a file in the file system. By calling the repair function under "Settings" – "Troubleshooting" – "Repair" in Avast Antivirus, the software attempts to delete an unnamed file with the rights NT AUTHORITY\SYSTEM. This leads to increased rights for attackers, who then have to win a race condition. A Windows call to a specially crafted file could then be used to execute a privileged shell (CVE-2024-5102, CVSS 7.3, risk"high").

The bug affects Avast Antivirus before version 24.2. The automatic update function should ensure that the bug-fixed newer versions are already on the computer. However, automatic updates can be restricted, especially in business products, so it makes sense to check whether the software is up-to-date.

Avast recently attracted attention due to the FTC's demand for fines amounting to 16.5 million US dollars. The subsidiary Jumpshot claims to provide protection against online tracking, but did exactly the opposite when the software collected masses of browser data and sold it to advertisers such as Condé Nast, Google, McKinsey, Microsoft, Pepsi, Sephora, Yelp and others.

(dmk)