Decade-old bugs discovered in Avast, AVG antivirus software

Researchers say exploitation could have had "far-reaching and significant" consequences.
Written by Charlie Osborne, Contributing Writer

Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products which have gone undetected for ten years. 

On Thursday, SentinelOne published a security advisory on the flaws, tracked as CVE-2022-26522 and CVE-2022-26523

Avast acquired AVG in 2016 for $1.3 billion. According to the cybersecurity firm, the vulnerabilities have existed since 2012 and, therefore, could have affected "dozens of millions of users worldwide."

CVE-2022-26522 and CVE-2022-26523 were found in the Avast Anti Rootkit driver, introduced in January 2012 and also used by AVG. The first vulnerability was present in a socket connection handler used by the kernel driver aswArPot.sys, and during routine operations, an attacker could hijack a variable to escalate privileges.

Security products must run with high privilege levels, and so attackers able to exploit this flaw could potentially disable security solutions, tamper with a target operating system, or perform other malicious actions. 

The second vulnerability, CVE-2022-26523, is described as "very similar" to CVE-2022-26522 and was present in the aswArPot+0xc4a3 function. 

"Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," SentinelLabs said. "For example, the vulnerabilities could be exploited as part of a second-stage browser attack or to perform a sandbox escape, among other possibilities."

SentinelLabs reported the vulnerabilities to Avast on December 20, 2021. By January 4, the cybersecurity solutions provider had acknowledged the report and released fixes in Avast v.22.1 to deal with the vulnerabilities after triage. 

The vulnerabilities were patched by February 11. SentinelLabs said there is no evidence of active exploitation in the wild. 

Users should have received the necessary updates automatically and do not need to take further action. 

"The impact this could have on users and enterprises that fail to patch is far-reaching and significant," the company added. "We would like to thank Avast for their approach to our disclosure and for quickly remediating the vulnerabilities." 

Avast told ZDNet:

"Avast is an active participant in the coordinated vulnerability disclosure process, and we appreciate that SentinelOne has worked with us and provided a detailed analysis of the vulnerabilities identified. SentinelOne reported two vulnerabilities, now tracked as CVE-2022-26522 and CVE-2022-26523, to us on December 20, 2021. 

We worked on a fix released in version 22.1 in February 2022 and notified SentinelOne of this applied fix. Avast and AVG users were automatically updated and are protected against any risk of exploitation, although we have not seen the vulnerabilities abused in the wild. We recommend our Avast and AVG users constantly update their software to the latest version to be protected. Coordinated disclosure is an excellent way of preventing risks from manifesting into attacks, and we encourage participation in our bug bounty program."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards