Pierluigi Paganini May 05, 2022

Researcher discovered a couple of high-severity security flaws that affect a driver used by Avast and AVG antivirus solutions.

SentinelOne researcher Kasif Dekel discovered two high-severity security vulnerabilities, tracked as CVE-2022-26522 and CVE-2022-26523, that affect a driver used by Avast and AVG antivirus solutions.

The bugs reside in the anti-rootkit kernel driver named aswArPot.sys which is the “Avast anti-rootkit,” digitally signed by AVAST Software. The driver was introduced in Avast version 12.1, which dates back to June 2012.

An attacker could exploit these vulnerabilities to escalate privileges and potentially disable antivirus solutions.

“SentinelLabs has discovered two high severity flaws in Avast and AVG (acquired by Avast in 2016) that went undiscovered for 10 years affecting dozens of millions of users.” reads the advisory published by SentinelOne. “These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.”

The vulnerable routine resides in a socket connection handler used in the kernel driver aswArPot.sys, the issue can be triggered by initiating a socket connection.

The second issue, tracked as CVE-2022-26523, resides in the function at aswArPot+0xbb94 and is very similar to the first vulnerability.

Experts pointed out that the flaws can be exploited to perform a sandbox escape in a second-stage browser attack.

“Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation. For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities.” concludes the experts. “As we have noted with similar flaws in other products recently (1, 2, 3), such vulnerabilities have the potential to allow complete take over of a device, even without privileges, due to the ability to execute code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products.”

The flaws were reported by SentinelOne on December 20, 2021, and Avast fixed the issues with the release of antivirus version 22.1 on February 8, 2022.

The researchers pointed out that most Avast and AVG installs will be automatically updated, while air gapped or on-premise installs would be manually fixed as soon as possible.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS

Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.

To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Avast)

[adrotate banner=”5″]

[adrotate banner=”13″]