Login Sign Up

CVE-2019-18979

7.8 HIGH

📋 TL;DR

This vulnerability in Adaware antivirus allows local attackers to escalate privileges by exploiting a flaw in the quarantine mechanism. Attackers can use NTFS directory junctions to restore malicious DLLs from quarantine into the system32 folder, gaining SYSTEM-level access. This affects users running vulnerable versions of Adaware antivirus on Windows systems.

💻 Affected Systems

Products:
  • Adaware Antivirus
Versions: 12.6.1005.11662 and 12.7.1055.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires NTFS file system and local access to the system. The antivirus must be installed and running.

📦 What is this software?

Adaware Antivirus by Claranova

View all CVEs affecting Adaware Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM-level privilege escalation allowing complete system compromise, installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass security controls, install additional malware, or gain persistence on compromised systems.

🟢

If Mitigated

Limited impact if proper access controls, application whitelisting, and least privilege principles are enforced, though the vulnerability still provides a foothold for attackers.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Once an attacker gains initial access to a system (even with low privileges), they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but is relatively straightforward using NTFS directory junctions. The technique is well-documented in the referenced articles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 12.7.1055.0

Vendor Advisory: Not publicly documented in vendor advisory

Restart Required: Yes

Instructions:

1. Open Adaware antivirus. 2. Check for updates in settings. 3. Install available updates. 4. Restart the system to ensure changes take effect.

🔧 Temporary Workarounds

Disable or uninstall Adaware

windows

Remove the vulnerable software entirely

Control Panel > Programs > Uninstall a program > Select Adaware > Uninstall

Restrict NTFS junction creation

windows

Limit ability to create directory junctions via group policy

🧯 If You Can't Patch

  • Implement application whitelisting to prevent unauthorized DLL execution
  • Enforce least privilege principles and restrict local administrator access

🔍 How to Verify

Check if Vulnerable:

Check Adaware version in Help > About or Programs and Features. If version is 12.6.1005.11662 or 12.7.1055.0, system is vulnerable.

Check Version:

wmic product where name="Adaware" get version

Verify Fix Applied:

Verify Adaware version is higher than 12.7.1055.0 and test the exploit technique (in controlled environment) to confirm it no longer works.

📡 Detection & Monitoring

Log Indicators:

  • Unusual DLL writes to system32 folder
  • Adaware quarantine restoration events
  • NTFS junction creation in unusual locations

Network Indicators:

  • None - this is a local privilege escalation

SIEM Query:

EventID=11 (FileCreate) AND TargetObject LIKE '%system32%' AND ProcessName LIKE '%adaware%'

📊 Metadata

CVE ID: CVE-2019-18979
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: March 18, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON