CVE-2024-6510 ‒ Local Privilege escalation in AVG Internet Security

Authored by:
Metrics: cve.org

Description

AVG Internet Security is a security product that protects endpoints from malware. The fixed vulnerability enabled attackers with existing access to a system to elevate their privileges to SYSTEM.

Vulnerability

The vulnerability abused a trust relationship between frontend processes running in the context of an unprivileged user and privileged backend processes running as SYSTEM.

It was possible to abuse COM hijacking to inject a DLL into the frontend process of AVG Internet Security. More specifically, this was possible by hijacking the interface with the GUID {807C1E6C-1D00-453f-B920-B61BB7CDD997}. However, one had to bypass an allow list by placing the DLL under C:\Windows\System32\spool\drivers\color

The frontend process has a trust relationship with the backend processes of AVG Internet Security, which run as a SYSTEM. One command that could be issued by the frontend allowed attackers to install an update, packaged as a DLL. Attackers could potentially issue this command to install the update using the DLL they injected via COM hijacking. One had to abuse a time of check vs. time of use issue to be able to install an update using an unsigned DLL.

Attackers could potentially exploit the update mechanism to gain SYSTEM privileges.

Mitigations

Install a current version of AVG Internet Security. The vulnerability was fixed in version 24.1.

Timeline

DateAction
15.11.2023Vendor was contacted and informed about the vulnerability via sec.report@avg.com
22.11.2023Vendor was contacted and informed about the vulnerability via dach@avg.com
27.11.2023Vendor was contacted and informed about the vulnerability via support@help.avg.com
29.11.2023Initial response from vendor
03.01.2024Email from support stating that they want to address the issue now. However, the writeup on the vulnerability was automatically deleted. We provided the details of the vulnerability again. The writeup was passed on internally
02.02.2024We asked for a status update, as the deadline, according to our disclosure policy, is approaching
05.02.2024Vendor provided us with a beta version in which the issue is patched
08.02.2024Vendor informed us that the issue should now be fixed in the release version 24.1

References

Share: