Advisories

Vulnerability in AVG Internet Security (CVE-2024-6510)

AVG Internet Security is an antivirus software marketed to consumers.

CVE-2024-6510: Local Privilege Escalation

Local privilege escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM hijacking.

This was possible by using COM hijacking to execute code in the context of a trusted front-end process. The trust between the front end and the back end was then abused to load a DLL into a process running as SYSTEM, allowing an attacker to execute code as SYSTEM.

For CVE assignment we tried contacting AVG and security@nortonlifelock.com after the fixed release but got no response.

The vulnerability was acknowledged and fixed by AVG within three months.

CVSS Score
7.8 (CVSS v3)

CVSS Vector String
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Version
Versions < 24.1

Fixed Version
24.1

Credits
Kolja Grassmann

Timeline

2023-11-15

Vendor and informed about the vulnerability via sec.report@avg.com

2023-11-22

Second attempt to contact the vendor via dach@avast.com

2023-11-27

Third attempt to contact the vendor via support@help.avg.com

2023-11-29

Initial response from support that they have escalated the issue internally

2024-01-03

Email from support stating that they want to address the issue now. However, the writeup on the vulnerability was automatically deleted in the meantime. We provided the details of the vulnerability again. The writeup was passed on internally.

2024-02-02

We asked for a status update, as the deadline according to our disclosure policy is approaching.

2024-02-05

Vendor provided us with a beta version in which the issue is patched.

2024-02-08

Vendor informed us that the issue should now be fixed in the release version 24.1.

Do you want to protect your systems? Feel free to get in touch with us.

Month: September 2024