SentinelOne finds high-severity flaws in Avast, AVG


SentinelOne uncovered two higher-severity vulnerabilities impacting Avast and AVG antivirus products and solutions that have existed considering the fact that 2012.

Risk detection vendor SentinelOne released a website that disclosed the vulnerabilities on Thursday. The flaws concern Avast’s anti-rootkit driver, which is utilised by each Avast and AVG antivirus merchandise (Avast obtained AVG in 2016). If exploited, a risk actor could use the driver to escalate privileges to kernel level. The significant variety of Avast and AVG people means, as SentinelOne noted in its blog, that millions of people are theoretically vulnerable.

The flaws are tracked as CVE-2022-26522 and CVE-2022-26523 full technological particulars are offered in SentinelOne’s website post. A patch launched in February, edition 22.1, fixed the difficulty and was mechanically utilized to most users’ Avast and AVG installations. SentinelOne encouraged consumers with out computerized updates, including these jogging on-premises versions, to patch quickly.

Kasif Dekel, SentinelOne senior protection researcher and writer of the blog put up, wrote that the vulnerabilities remained undiscovered for 10 a long time and can be exploited in multiple contexts.

“Owing to the nature of these vulnerabilities, they can be activated from sandboxes and may well be exploitable in contexts other than just local privilege escalation,” he wrote. “For example, the vulnerabilities could be exploited as part of a next stage browser attack or to carry out a sandbox escape, among other options.”

Antivirus vulnerabilities have the possible to be primarily significant the software program commonly desires accessibility to all elements of a user’s product and, as these, involves increased privileges than most downloaded software program.

In accordance to the timeline furnished in the weblog put up, SentinelOne claimed the flaws to Avast on Dec. 20 of previous yr. Avast acknowledged the report in early January in advance of informing SentinelOne that the flaw was set on Feb. 11.

Nevertheless, SentinelOne’s report stated, “Avast has silently released stability updates to handle these vulnerabilities.”

SearchSecurity requested Avast why it did not publicly launch a disclosure for shoppers that credited SentinelOne with the discovery of the vulnerabilities.

An Avast spokesperson sent the pursuing statement to SearchSecurity:

“The two Sentinel A single and Avast followed field typical practices for liable disclosure which is a well adopted approach in the technologies field whereby vulnerabilities are very first shared privately with the makers of the affected technology permitting time for them to be fastened just before they become acknowledged and possibly exploited. Avast posted an update on February 8, which involved the deal with for this vulnerability along with other bug fixes,” the assertion explained.

“It is widespread follow among technological innovation organizations to resolve vulnerabilities in their products and solutions with no providing info which could guide to their exploitation. It is also prevalent follow for analysis groups to publish the aspects of their results as a way to accomplish recognition for their conclusions and share their learnings with the wider danger community. By utilizing responsible disclosure, buyers are protected although the wider sector can master from the study performed on these vulnerabilities to make sure they do not come about in other merchandise.”

The spokesperson involved a backlink to an Avast discussion board article announcing edition 22.1 on Feb. 8. On the other hand, the put up does not mention either CVE or the privilege escalation threats, nor does it credit SentinelOne for the discoveries. The put up only mentions that a “Rootkit driver BSOD [blue screen of death] was set.”

SentinelOne’s write-up adopted a Monday report from Trend Micro that similarly coated Avast’s anti-rootkit driver. Craze Micro researchers identified AvosLocker ransomware was abusing the driver in purchase to evade detection.

In accordance to Craze Micro, Avast confirmed a vulnerability existed in an previous version of the driver, which was fastened in June 2021.

Alexander Culafi is a author, journalist and podcaster primarily based in Boston.