Login Sign Up

CVE-2021-45337

8.8 HIGH

📋 TL;DR

A privilege escalation vulnerability in Avast Antivirus's Self-Defense driver allows local users with SYSTEM privileges to gain elevated privileges by hollowing the wsc_proxy.exe process. This could lead to acquiring antimalware protected process light (AM-PPL) protection, bypassing security controls. Affects Avast Antivirus users with versions prior to 20.8.

💻 Affected Systems

Products:
  • Avast Antivirus
Versions: Versions prior to 20.8
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires local access and SYSTEM privileges to exploit. Affects the Self-Defense driver component.

📦 What is this software?

Antivirus by Avast

View all CVEs affecting Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with SYSTEM privileges could gain full control over the antimalware protection, disable security features, and execute arbitrary code with highest privileges.

🟠

Likely Case

Malicious local users or malware with SYSTEM access could escalate privileges to bypass antivirus protections and maintain persistence.

🟢

If Mitigated

With proper patch management and least privilege principles, impact is limited to systems where attackers already have SYSTEM access.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring SYSTEM access, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Local attackers or malware with SYSTEM privileges can exploit this to bypass security controls and gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires SYSTEM privileges and involves process hollowing techniques. Public disclosure includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 20.8 and later

Vendor Advisory: https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast-0

Restart Required: Yes

Instructions:

1. Open Avast Antivirus. 2. Navigate to Settings > Update. 3. Click 'Update' to download latest version. 4. Restart computer when prompted.

🔧 Temporary Workarounds

Disable Self-Defense (Not Recommended)

windows

Temporarily disable Self-Defense feature to mitigate vulnerability, but reduces security.

Right-click Avast tray icon > Avast shields control > Disable until computer is restarted

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from obtaining SYSTEM privileges
  • Monitor for suspicious process hollowing activity targeting wsc_proxy.exe

🔍 How to Verify

Check if Vulnerable:

Check Avast version: Open Avast > Menu > About. If version is below 20.8, system is vulnerable.

Check Version:

wmic product where "name like 'Avast%'" get version

Verify Fix Applied:

Verify Avast version is 20.8 or higher and check that Self-Defense feature is functioning normally.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation/modification of wsc_proxy.exe
  • Avast Self-Defense driver access violations

Network Indicators:

  • None - local exploitation only

SIEM Query:

Process Creation where (Image contains 'wsc_proxy.exe' AND ParentImage contains unusual process) OR (Process Hollowing detection events)

📊 Metadata

CVE ID: CVE-2021-45337
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: December 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON