SentinelOne discovered two serious zero-day vulnerabilities in Avast and AVG. The threats went unnoticed for ten years.
The vulnerabilities allow attackers to bump privileges. From there, a system’s security tools can be disabled. In December 2021, SentinelOne’s researchers disclosed the vulnerabilities to Avast, AVG’s parent company. Avast quietly released security updates in February 2022. Most users receive the updates automatically. However, if you’re running Avast or AVG in an air-gapped or on-premises environment, it’s advisable to update to version 22.1 or later as soon as possible.
The vulnerabilities have been identified as CVE-2022-26522 and CVE-2022-26523. Both vulnerabilities received a severe CVSS rating. The problems stem from the same driver, which we’ll cover down the line. The driver has been included in Avast’s antivirus software since 2012. SentinelOne speculates that millions of users were exposed to the vulnerability. There’s no evidence of the vulnerability being exploited by cybercriminals.
RootKit driver in Avast and AVG
A function in the RootKit driver allowed attackers to crash systems and execute code in the kernel mode. Antivirus software is always authorized at the highest level. By executing code in the kernel, attackers can bump their privileges, also known as privilege escalation. In 2021, SentinelOne found multiple privilege escalation vulnerabilities in HP and Dell devices. Such vulnerabilities are particularly disturbing because local access is sufficient to take over an entire system.
In addition to privilege escalation, SentinelOne suspects that Avast and AVG can be exploited for sandbox escapes.
Sandboxes are isolated environments on the same system. Windows user accounts are a common example. If a PC has two user accounts, applications on one account should not affect the other. That is, as long as the applications work as they should.
By booting Avast or AVG in a sandbox and exploiting the vulnerability, the data from another sandbox can be accessed. If a cybercriminal has access to a device, but lacks the right account, Avast and AVG can be exploited to extend access to an account of choosing.