Decade-old bugs discovered in Avast, AVG antivirus software

Researchers have disclosed two superior-severity vulnerabilities in Avast and AVG antivirus goods which have long gone undetected for 10 several years. 

On Thursday, SentinelOne revealed a protection advisory on the flaws, tracked as CVE-2022-26522 and CVE-2022-26523. 

Avast obtained AVG in 2016 for $1.3 billion. According to the cybersecurity business, the vulnerabilities have existed because 2012 and, as a result, could have influenced “dozens of tens of millions of users around the world.”

CVE-2022-26522 and CVE-2022-26523 had been identified in the Avast Anti Rootkit driver, introduced in January 2012 and also employed by AVG. The initially vulnerability was current in a socket connection handler used by the kernel driver aswArPot.sys, and during schedule operations, an attacker could hijack a variable to escalate privileges.

Stability products have to run with large privilege amounts, and so attackers capable to exploit this flaw could possibly disable protection alternatives, tamper with a focus on working method, or accomplish other malicious actions. 

The second vulnerability, CVE-2022-26523, is described as “very comparable” to CVE-2022-26522 and was current in the aswArPot+0xc4a3 operate. 

“Owing to the mother nature of these vulnerabilities, they can be brought on from sandboxes and may be exploitable in contexts other than just local privilege escalation,” SentinelLabs stated. “For example, the vulnerabilities could be exploited as component of a 2nd-stage browser attack or to accomplish a sandbox escape, among the other choices.”

SentinelLabs documented the vulnerabilities to Avast on December 20, 2021. By January 4, the cybersecurity methods company had acknowledged the report and launched fixes in Avast v.22.1 to offer with the vulnerabilities following triage. 

The vulnerabilities have been patched by February 11. SentinelLabs reported there is no evidence of energetic exploitation in the wild. 

ZDNet Endorses

The best antivirus software and apps

The greatest antivirus software and apps

A roundup of the greatest application and applications for Home windows and Mac personal computers, as effectively as iOS and Android gadgets, to preserve by yourself safe from malware and viruses.

People must have obtained the needed updates instantly and do not will need to just take further more action. 

“The impact this could have on end users and enterprises that fall short to patch is considerably-achieving and significant,” the firm extra. “We would like to thank Avast for their technique to our disclosure and for rapidly remediating the vulnerabilities.” 

Avast told ZDNet:

“Avast is an lively participant in the coordinated vulnerability disclosure procedure, and we take pleasure in that SentinelOne has labored with us and delivered a in-depth analysis of the vulnerabilities discovered. SentinelOne reported two vulnerabilities, now tracked as CVE-2022-26522 and CVE-2022-26523, to us on December 20, 2021. 

We labored on a correct produced in edition 22.1 in February 2022 and notified SentinelOne of this applied deal with. Avast and AVG buyers had been automatically updated and are guarded against any threat of exploitation, although we have not viewed the vulnerabilities abused in the wild. We advocate our Avast and AVG end users continually update their program to the newest variation to be secured. Coordinated disclosure is an excellent way of protecting against dangers from manifesting into assaults, and we stimulate participation in our bug bounty plan.”

Earlier and linked protection

Have a idea? Get in touch securely through WhatsApp | Signal at +447713 025 499, or about at Keybase: charlie0