CVE-2021-45337 in Avast
Summary
by MITRE • 12/27/2021
Privilege escalation vulnerability in the Self-Defense driver of Avast Antivirus prior to 20.8 allows a local user with SYSTEM privileges to gain elevated privileges by "hollowing" process wsc_proxy.exe which could lead to acquire antimalware (AM-PPL) protection.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/31/2021
The vulnerability CVE-2021-45337 represents a critical privilege escalation flaw within Avast Antivirus's Self-Defense driver component, specifically affecting versions prior to 20.8. This issue resides in the kernel-mode driver that protects Avast's core components from malicious interference, creating a dangerous attack surface for local adversaries who already possess SYSTEM-level privileges. The vulnerability stems from improper privilege validation within the driver's process manipulation routines, particularly when handling the wsc_proxy.exe process which is part of Windows' Windows Security Center service. The attack vector involves a technique known as process hollowing where an attacker can replace the memory content of a running process while maintaining its original memory layout, effectively creating a stealthy code execution environment.
The technical implementation of this vulnerability leverages the Self-Defense driver's insufficient validation of process manipulation requests, allowing malicious code to manipulate the wsc_proxy.exe process through kernel-level interfaces. This process hollowing technique specifically targets the Windows Security Center proxy service which operates with elevated privileges to coordinate antimalware protection activities. When an attacker with SYSTEM privileges executes this exploit, they can effectively bypass the antimalware protection process policy (AM-PPL) that normally prevents malicious code from accessing or modifying antimalware components. The vulnerability operates at the kernel level where the driver fails to properly validate the integrity of process manipulation requests, creating a path for privilege escalation that can be exploited to gain full control over the antimalware protection subsystem.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally undermines the security model of Windows antimalware protection mechanisms. Attackers who successfully exploit this vulnerability can manipulate the Windows Security Center's antimalware protection policies and potentially disable or modify security controls that are designed to prevent malicious activity. The attack can be particularly devastating in enterprise environments where Avast is deployed across multiple systems, as it allows a single compromised system to potentially compromise the entire antimalware protection infrastructure. The vulnerability's exploitation requires only local SYSTEM access, making it particularly dangerous as it can be leveraged by malware already present on the system or through other initial compromise vectors that achieve SYSTEM-level privileges.
This vulnerability maps directly to CWE-276, which describes improper privileges, and aligns with ATT&CK technique T1068, which covers local privilege escalation through process hollowing. The attack chain demonstrates how a kernel-level driver vulnerability can be exploited to bypass Windows security controls, particularly the antimalware protection process policy that is designed to prevent malicious code from accessing antimalware components. Organizations should implement immediate mitigations including updating to Avast version 20.8 or later, which addresses the privilege validation issues in the Self-Defense driver. Additionally, system administrators should monitor for suspicious process hollowing activities and implement process integrity checking mechanisms. The vulnerability highlights the importance of proper kernel-mode privilege validation and demonstrates how even well-integrated security solutions can contain critical flaws that undermine their protective capabilities. Regular security assessments of kernel-mode drivers and privileged code execution should be mandatory for all security software vendors to prevent similar issues from compromising system security.