Proof-of-Concept exploit code released for antivirus software

Target Industry

Indiscriminate, opportunistic targeting.

Overview

A Proof-of-Concept (PoC) exploit has been released by security researcher Denis Skvortcov, with regards to two antivirus software vulnerabilities, tracked as CVE-2023-1585 (CVSSv3 Base Score: 6.5 – Medium Severity) and CVE-2023-1587 (CVSSv3 Base Score: 5.8 – Medium Severity).

CVE-2023-1585 is a Time-of-check/Time-of-use (TOCTOU) vulnerability in the quarantine process of Avast and AVG AntiVirus software. The antivirus software removes malicious files whenever they are detected. To prevent file redirection attacks, the antivirus programme checks the file path of the malicious file for links, and subsequently converts the path without the links prior to deleting the file. However, this is performed in a sequence of events in shared memory where other operations are allowed to occur. This creates an opportunity for a threat actor to manipulate the path links and redirect the software’s operations, which could lead to the deletion of arbitrary files or directories. This can lead to code execution as SYSTEM when chained with CVE-2023-1587, a null dereference flaw in the Avast AV RPC-interface named “aswChest”.

When executed, the PoC deletes the existing “C:\ProgramData\Avast Software\Avast\fw” directory and subsequently calls the Proc3 function, exploiting CVE-2023-1587 and causing the Avast service to crash.

Impact

When chained, these vulnerabilities could allow a threat actor to obtain an arbitrary file write primitive and ultimately gain the capabilities to execute code on a target machine as SYSTEM.

Incident Detection

Security updates have been released with regards to these vulnerabilities. As such, previous product versions are vulnerable to potential exploit.

Affected Products

Avast and AVG AntiVirus software prior to version 22.11.

Containment, Mitigations & Remediations

The vulnerabilities have been remediated in Avast and AVG Antivirus version 22.11. As such, users are strongly recommended to ensure that their antivirus software is updated.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

The combined entity of Avast and AVG occupies a significant proportion of the antivirus software market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, the associated products can emerge a prime target for threat actors. Due to the fact that antivirus software has become an integral aspect of both personal and business operations, threat actors will attempt to exploit vulnerabilities contained within the associated products in an attempt to extract sensitive data and compromise target systems.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration:
CWE-367 – Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-476 – NULL Pointer Dereference

Further Information

Denis Skvortcov Blog
Norton Security Advisory