CVE-2020-37037
📋 TL;DR
CVE-2020-37037 is an unquoted service path vulnerability in Avast SecureLine VPN client that allows local attackers to execute arbitrary code with SYSTEM privileges. This affects users running Avast SecureLine 5.5.522.0 on Windows systems. Attackers need local access to the system to exploit this vulnerability.
💻 Affected Systems
- Avast SecureLine VPN
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges, allowing complete control over the affected system, installation of persistent malware, credential theft, and lateral movement within the network.
Likely Case
Local privilege escalation where an authenticated user with limited privileges gains SYSTEM-level access to install programs, modify system settings, or access protected data.
If Mitigated
Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced, preventing unauthorized code execution.
🎯 Exploit Status
Exploit requires local access and ability to create files in writable directories along the unquoted service path. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.5.522.0
Vendor Advisory: https://www.avast.com/
Restart Required: Yes
Instructions:
1. Open Avast SecureLine VPN. 2. Go to Menu → Settings → Update. 3. Click 'Check for updates'. 4. Install any available updates. 5. Restart the system to ensure the service is running with the updated configuration.
🔧 Temporary Workarounds
Manually quote service path
windowsModify the service configuration to use quoted paths in the service executable path
sc config "Avast SecureLine Service" binPath= "\"C:\Program Files\Avast Software\SecureLine\SecureLineService.exe\""
Remove vulnerable directories
windowsRemove or secure writable directories in the service path to prevent file placement
Remove or restrict write permissions on directories like C:\Program, C:\Program Files, or C:\Program Files\Avast
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries
- Enforce least privilege principles and restrict local user permissions to prevent file creation in service path directories
🔍 How to Verify
Check if Vulnerable:
Check service configuration: sc qc "Avast SecureLine Service" and look for unquoted paths containing spaces in the BINARY_PATH_NAME fieldCheck Version:
Check Avast SecureLine version in the application interface or via: wmic product where "name like 'Avast SecureLine%'" get versionVerify Fix Applied:
Verify service path is quoted: sc qc "Avast SecureLine Service" should show quoted path like "\"C:\Program Files\Avast Software\SecureLine\SecureLineService.exe\""📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service startup failures
- Unexpected processes running as SYSTEM from unusual locations
- File creation events in service path directories
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=7045 OR (EventID=4688 AND NewProcessName CONTAINS 'Avast' AND IntegrityLevel='System')