CVE-2021-45339 in Avast
Summary
by MITRE • 12/27/2021
Privilege escalation vulnerability in Avast Antivirus prior to 20.4 allows a local user to gain elevated privileges by "hollowing" trusted process which could lead to the bypassing of Avast self-defense.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/31/2021
This privilege escalation vulnerability in Avast Antivirus affects versions prior to 20.4 and represents a critical security flaw that enables local attackers to elevate their privileges through a technique known as process hollowing. The vulnerability specifically targets Avast's self-defense mechanisms, which are designed to protect the antivirus software from unauthorized modifications and tampering. When an attacker performs process hollowing on a trusted Avast process, they can inject malicious code into the memory space of the legitimate process while maintaining its original execution flow. This technique allows the malicious code to operate with the elevated privileges and permissions of the trusted process, effectively bypassing the antivirus's built-in protection mechanisms.
The technical implementation of this vulnerability stems from insufficient validation of process integrity and trust relationships within Avast's architecture. Process hollowing involves creating a new process in a suspended state, replacing its memory with malicious code, and then resuming execution. In the context of Avast, this technique exploits the trust model where legitimate Avast processes are granted elevated privileges, but the software fails to properly verify that these processes remain unmodified throughout their execution lifecycle. This weakness creates a window of opportunity for attackers to inject code into trusted processes without triggering the antivirus's self-defense protocols that should normally detect and prevent such modifications.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally undermines the security posture of systems protected by Avast Antivirus. Attackers who successfully exploit this vulnerability can bypass not only the antivirus's core protection mechanisms but also potentially access sensitive system resources, modify critical files, and establish persistent backdoors. The bypass of Avast's self-defense capabilities means that the malicious code can operate undetected while maintaining elevated privileges, making it particularly dangerous for enterprise environments where Avast is commonly deployed. This vulnerability essentially transforms the antivirus software from a protective barrier into a potential attack vector, as the malicious code can leverage the trusted process context to evade detection by other security controls.
From a cybersecurity perspective, this vulnerability aligns with attack patterns documented in the attack tree framework and can be mapped to multiple ATT&CK techniques including privilege escalation through process hollowing, persistence via trusted process relationships, and defense evasion by bypassing security software. The Common Weakness Enumeration classification for this type of vulnerability would fall under CWE-159, which deals with improper handling of trust relationships, or potentially CWE-78, which addresses improper neutralization of special elements used in OS commands. Organizations should immediately update to Avast version 20.4 or later to remediate this vulnerability, while also implementing additional monitoring for suspicious process hollowing activities and verifying the integrity of critical system processes through regular audits. Security teams should consider implementing behavioral monitoring solutions that can detect anomalous process creation and memory modification patterns that may indicate exploitation attempts.