Change language

Ten-year-old bugs found in Avast and AVG antiviruses

SentinelOne said they found two serious vulnerabilities in Avast and AVG antivirus products. Both are linked to their common anti-rootkit driver aswArPot.sys. Vulnerabilities appeared in the code with the release of Avast 12.1 in 2012, but all this time they remained unnoticed.

December 2021

Experts identified bugs in December 2021. Then they received the identifiers CVE-2022-26522 and CVE-2022-26523. In February, the vulnerabilities were fixed with the release of version 22.1.

The function first attaches the current thread to the target process and then uses nt!PsGetProcessPeb to get a pointer to the PEB of the current process (red arrow). It then retrieves (for the first time) PPEB->ProcessParameters->CommandLine.Length to allocate a new buffer (yellow arrow) and copies the user-provided buffer to PPEB->ProcessParameters->CommandLine.Buffer with the size PPEB->ProcessParameters->CommandLine. Length (orange arrow).

SentinelOne rated the vulnerabilities "high severity": they allowed an attacker with limited privileges on the system to execute code in kernel mode and eventually take full control of the device.

“The nature of these vulnerabilities is such that they can be launched from sandboxes and used in a context other than simple local privilege escalation. For example, vulnerabilities can be used in the second stage of a browser attack or to escape from a sandbox. Among the obvious abuses of such problems is bypassing security solutions,” the researchers note. According to them, bugs can be used to disable security products, overwrite system components, damage the operating system, or perform malicious operations without hindrance.

So far, experts have no evidence that the vulnerabilities were exploited in practice.

Avast and AVG

Avast bought AVG in 2016. Their antiviruses are popular all over the world, so the vulnerabilities could potentially affect millions of users.

Meanwhile, Trend Micro detailed the AvosLocker ransomware, which used a different issue in the same driver to disable antivirus products in its attacks. AvosLocker was first discovered in July 2021. Over the past few months, he’s had a few new options.

Michael Zippo
2022/05/10

https://linkedin.com/in/michael-zippo-9136441b1
[email protected]

Sources: SentinelOne

Shop

Learn programming in R: courses

$

Best Python online courses for 2022

$

Best laptop for Fortnite

$

Best laptop for Excel

$

Best laptop for Solidworks

$

Best laptop for Roblox

$

Best computer for crypto mining

$

Best laptop for Sims 4

$

Latest questions

NUMPYNUMPY

psycopg2: insert multiple rows with one query

12 answers

NUMPYNUMPY

How to convert Nonetype to int or string?

12 answers

NUMPYNUMPY

How to specify multiple return types using type-hints

12 answers

NUMPYNUMPY

Javascript Error: IPython is not defined in JupyterLab

12 answers

News


Wiki

Python OpenCV | cv2.putText () method

numpy.arctan2 () in Python

Python | os.path.realpath () method

Python OpenCV | cv2.circle () method

Python OpenCV cv2.cvtColor () method

Python - Move item to the end of the list

time.perf_counter () function in Python

Check if one list is a subset of another in Python

Python os.path.join () method