Askhat - stock.adobe.com
SentinelOne discovered two high-severity vulnerabilities affecting Avast and AVG antivirus products that have existed since 2012.
Threat detection vendor SentinelOne published a blog that disclosed the vulnerabilities on Thursday. The flaws concern Avast's anti-rootkit driver, which is used by both Avast and AVG antivirus products (Avast acquired AVG in 2016). If exploited, a threat actor could use the driver to escalate privileges to kernel level. The large number of Avast and AVG users means, as SentinelOne noted in its blog, that millions of users are theoretically vulnerable.
The flaws are tracked as CVE-2022-26522 and CVE-2022-26523; full technical details are available in SentinelOne's blog post. A patch released in February, version 22.1, fixed the issue and was automatically applied to most users' Avast and AVG installations. SentinelOne advised users without automatic updates, including those running on-premises versions, to patch immediately.
Kasif Dekel, SentinelOne senior security researcher and author of the blog post, wrote that the vulnerabilities remained undiscovered for 10 years and can be exploited in multiple contexts.
"Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," he wrote. "For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities."
Antivirus vulnerabilities have the potential to be especially severe; the software usually needs access to all parts of a user's device and, as such, requires higher privileges than most downloaded software.
According to the timeline provided in the blog post, SentinelOne reported the flaws to Avast on Dec. 20 of last year. Avast acknowledged the report in early January before informing SentinelOne that the flaw was fixed on Feb. 11.
However, SentinelOne's report said, "Avast has silently released security updates to address these vulnerabilities."
SearchSecurity asked Avast why it didn't publicly release a disclosure for customers that credited SentinelOne with the discovery of the vulnerabilities.
An Avast spokesperson sent the following statement to SearchSecurity:
"Both Sentinel One and Avast followed industry standard practices for responsible disclosure which is a well adopted process in the technology industry whereby vulnerabilities are first shared privately with the makers of the affected technology allowing time for them to be fixed before they become known and potentially exploited. Avast published an update on February 8, which included the fix for this vulnerability along with other bug fixes," the statement said.
"It is common practice among technology companies to fix vulnerabilities in their products without providing information which could lead to their exploitation. It is also common practice for research teams to publish the details of their findings as a way to achieve recognition for their findings and share their learnings with the wider threat community. By using responsible disclosure, users are protected while the wider industry can learn from the research conducted on those vulnerabilities to ensure they do not occur in other products."
The spokesperson included a link to an Avast forum post announcing version 22.1 on Feb. 8. However, the post does not mention either CVE or the privilege escalation threats, nor does it credit SentinelOne for the discoveries. The post only mentions that a "Rootkit driver BSOD [blue screen of death] was fixed."
SentinelOne's post followed a Monday report from Trend Micro that similarly covered Avast's anti-rootkit driver. Trend Micro researchers discovered AvosLocker ransomware was abusing the driver in order to evade detection.
According to Trend Micro, Avast confirmed a vulnerability existed in an old version of the driver, which was fixed in June 2021.
Alexander Culafi is a writer, journalist and podcaster based in Boston.