Researchers discovered two high-severity security vulnerabilities, tracked as CVE-2022-26522 and CVE-2022-26523, that affect a driver used by Avast and AVG antivirus solutions.
AV products run as privileged services on Windows devices, such bugs in the very software that is intended to protect users from harm present both an opportunity to attackers and a grave threat to users
The bugs reside in the anti-rootkit kernel driver named aswArPot.sys which is the Avast anti-rootkit, digitally signed by AVAST Software. The driver was introduced in Avast version 12.1, which dates to June 2012.
These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded. The vulnerable routine resides in a socket connection handler used in the kernel driver aswArPot.sys, the issue can be triggered by initiating a socket connection.
The second issue, tracked as CVE-2022-26523, resides in the function at aswArPot+0xbb94 and is very similar to the first vulnerability. These flaws can be exploited to perform a sandbox escape in a second-stage browser attack.
The flaws were reported by SentinelOne on December 20, 2021, and Avast fixed both the issues with the release of antivirus version 22.1 on February 8, 2022.
These issues are not exploited in wild at present. Most Avast and AVG installs will be automatically updated, while air-gapped, or on-premises installs would be manually fixed as soon as possible
This flaw was discovered by security researcher Kasif Dekel at Sentinel one.