[German]Users of the virus protection solution receive the Avira Optimizer installed in newer versions. Up to the version before 22.214.171.1247, this contains a vulnerability that allows privileges escalation. The Avira developers have now fixed this vulnerability with the version mentioned above.
Security researcher Matt Nelson noticed this, he tested it under Windows 10 1803 (x64). The following tweet points to the issue caused by insecure named pipes.
[Blog] Avira Optimizer Local Privilege Escalation: https://t.co/gdOsiNoyRJ
— Matt Nelson (@enigma0x3) August 29, 2019
Here’s a rough outline of what this is about. The details can be read in the linked article.
Vulnerability Avira.OptimizerHost.exe service
When the latest Avira antivirus program is installed, it is delivered with various components as standard. One of these components is the Avira Optimizer. In short, “Avira.OptimizerHost.exe” runs as “NT AUTHORITY\SYSTEM” and takes commands from the named pipe “AviraOptimizerHost”:
The service performs an improper validation of the calling client. Added to this are invalid checks on started executables that allow malicious code to create process calls to Avira.OptimizerHost.exe. This can lead to local privilege escalation.
Brief analysis of the problem
Avira.OptimizerHost.exe can communicate with clients via a named pipe. This checks whether the client is an Avira application. Matt Nelson has now found a way to use a fake client with an Avira certificate to communicate with the service provided by Avira.OptimizerHost.exe.
The fake client can then open a command prompt that runs with system privileges thanks to the named pipe and the Avira.OptimizerHost.exe. In this blog post, Matt Nelson discusses here the details of the vulnerability.
Vulnerability already fixed
The Avira development team was contacted by Matt Nelson after he encountered the problem. The team remained in constant contact and solved the problem in a very short time. Within about 30 days of the first report, a fix was developed and distributed to the users. Here is the progress of the process:
- July 23, 2019: Vulnerability sent to Avira
- July 24, 2019: Confirmation by Avira, hints of compile problems at PoC
- July 26 , 2019: Avira can reproduce the problem with the PoC
- August 6, 2019: Avira provides the first fix and offers a test
- August 6, 2019: Answer to Avira with a bypass for the patch with updated Proof of Concept (PoC) and details
- August 16, 2019: Avira presents a new fix and offers a new test
- August 16, 2019: Fix tested, seems to fix the vulnerability, information to Avira
- August 27, 2019: Avira distributes the fix to its users
On August 29, 2019, Matt Nelson revealed the details within this blog post.