[German]Security researchers at Sentinel One have discovered two serious vulnerabilities in Avast and AVG's security products that have been around for 10 years and put millions of users at risk. The vulnerabilities are in Avast's anti-rootkit driver (which is also used by AVG). Attackers can use the vulnerabilities to take over the Windows system.
Advertising
Avast and AVG are widely used antivirus programs, and the existence of the two critical vulnerabilities puts many users around the world at particular risk from cyber attacks.
CVE-2022-26522 and CVE-2022-26523
The Anti Rootkit driver from Avast is actually supposed to protect Windows systems from installing rootkits. After Avast bought AVG, the driver was also adopted in their antivirus products.
Unfortunately, older versions of this driver had the vulnerabilities CVE-2022-26522 and CVE-2022-26523 discovered by Sentinellabs. Both vulnerabilities are marked with a high severity level, as these make systems vulnerable to extremely effective attack methods. Attackers can gain elevated privileges via the driver vulnerabilities, allowing s to execute code in the system's kernel mode with normal user privileges.
The vulnerabilities not only allow attackers to escalate their access rights, but subsequently disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unhindered. The background to this is that security products – and the anti-rootkit driver in particular – inevitably run at the highest privilege level of the operating system.
Vulnerabilities in these components are extremely attractive to attackers. For companies and users, however, vulnerabilities like these pose an extremely critical risk. It's no coincidence that the term snake oil is used, because security products don't protect against threats when in doubt, but they do enable attacks. Threat actors could cause enormous financial damage through the exploit.
Advertising
Avast notified in December 2021
The security researchers informed Avast of their findings in December 2021. Avast has since released security updates (without notice) for the affected products to address these vulnerabilities. Most Avast and AVG users will receive the patch (version 22.1) automatically. However, those using an Air Gapped or on-premise installation are advised to apply the patch as soon as possible.
At this time, SentinelLabs has no evidence that an exploit of the vulnerabilities has taken place. According to Avast, the vulnerable feature was introduced in Avast 12.1, which was released in January 2012.
Potential impact of the vulnerabilities
Due to the nature of these vulnerabilities, they can be triggered from sandboxes and may be exploitable in contexts other than just local privilege escalation. For example, the vulnerabilities could be exploited as part of a second-stage browser attack, the security researchers write. Or the vulnerabilities could be used to break out of the sandbox.
As the researchers have noted with similar vulnerabilities in other products, such critical vulnerabilities have the potential to allow complete takeover of a device. In this case, even without privileges, since they offer the possibility to execute code in kernel mode.
