SentinelOne’s Kasif Dekel has discovered and publicly disclosed two new high-severity security vulnerabilities in Avast and AVG antivirus products.
The two vulnerabilities are tracked as CVE-2022-26522 and CVE-2022-26523 affecting a legitimate driver that is used by both Avast and AVG AV solutions.
Here’s what Kasif Dekel stated:-
“These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.”
Bugs have been reported in the anti-rootkit kernel driver named aswArPot.sys, an authenticated version of “Avast Anti-Rootkit” from AVAST Software. As of June 12, 2012, Avast 12.1, which is effectively the current version of the driver, has been released.
There is the possibility that a malicious attacker could take advantage of these vulnerabilities to escalate privileges and likely disable antivirus applications.
The security flaw relates to a socket connection handler in the kernel driver, which could give non-administrator users privilege escalation. Therefore, the problem could possibly lead to the blue screen of death error and crash the operating system.
Flaws
It appears that the vulnerability (CVE-2022-26522) resides in a routine in a socket connection handler that is used by the kernel driver aswArPot.sys. And hereby instigating a socket connection it is possible to trigger the issue.
As for the second vulnerability, it is also tracked as CVE-2022-26523 and lies in the aswArPot+0xbb94 function just like the first one.
There is a possibility that the flaws can lead to a second-stage browser attack that allows the exploitation of the sandbox to escape flaws.
Mitigation
Millions of users all over the world are affected by these highly severe vulnerabilities. Users of Avast and AVG will be able to automatically receive the new patch (version 22.1) during the coming weeks automatically.
While the patch should be applied as soon as possible for users of on-premise or air-gapped installations.
It is a known fact that coordinated disclosure is an excellent means of preventing risks from falling into the hands of attackers. Experts have a bug bounty program that they encourage you to sign up for.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
