Two high-severity safety vulnerabilities, which went undetected for a number of years, have been found in a legit driver that is a part of Avast and AVG antivirus options.
“These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded,” SentinelOne researcher Kasif Dekel mentioned in a report shared with The Hacker News.
Tracked as CVE-2022-26522 and CVE-2022-26523, the issues reside in a legit anti-rootkit kernel driver named aswArPot.sys and are mentioned to have been launched in Avast model 12.1, which was launched in June 2016.
Specifically, the shortcomings are rooted in a socket connection handler within the kernel driver that would result in privilege escalation by operating code within the kernel from a non-administrator consumer, probably inflicting the working system to crash and show a blue display of dying (BSoD) error.
Worryingly, the issues is also exploited as a part of a second-stage browser assault or to carry out a sandbox escape, resulting in far-reaching penalties.
Following accountable disclosure on December 20, 2021, Avast addressed the problems in model 22.1 of the software program launched on February 8, 2022. “Rootkit driver BSoD was fixed,” the corporate mentioned in its launch notes.
While there isn’t any proof that these flaws had been abused within the wild, the disclosure comes merely days after Trend Micro detailed an AvosLocker ransomware assault that leveraged one other difficulty in the identical driver to terminate antivirus options on the compromised system.
Update: SentinelOne notes that the bug dates again to model 12.1, which it claims was launched in January 2012. However, Avast’s personal launch notes present that model 12.1 was shipped in June 2016. We have reached out to SentinelOne for additional remark, and we’ll replace the story as soon as we hear again.