Decade-Old Vulnerabilities Found in Avast and AVG Antivirus

Security experts from SentinelOne have discovered two vulnerabilities in Avast and AVG antivirus software, both related to a shared rootkit protection driver (aswArPot.sys). These vulnerabilities were introduced with the release of Avast 12.1 back in 2012 and went unnoticed for nearly ten years.

The bugs were identified in December 2021 and have been assigned the identifiers CVE-2022-26522 and CVE-2022-26523. Both Avast and AVG antivirus products are affected. Since Avast acquired AVG in 2016, the issues stem from the common rootkit protection driver used by both products. The vulnerabilities have already been fixed as of February 2022 with the release of version 22.1.

Severity and Potential Impact

According to SentinelOne, these vulnerabilities were rated as “high severity” because they allowed an attacker with limited system privileges to execute code in kernel mode, potentially gaining full control over the device.

“The nature of these vulnerabilities is such that they can be triggered from sandboxes and used in contexts beyond simple local privilege escalation. For example, they could be exploited in the second stage of a browser attack or to escape from a sandbox. Obvious abuses include bypassing security solutions,” the researchers wrote. “These vulnerabilities allow attackers to escalate privileges, disable security products, overwrite system components, corrupt the operating system, or freely execute malicious operations.”

No Evidence of Exploitation

Experts have found no evidence that hackers have exploited these vulnerabilities. However, it is notable that information about these bugs was published just days after Trend Micro detailed the AvosLocker malware, which used a different issue in the same driver to disable antivirus products during its attacks.