CVE-2021-45339 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2021-45339?

CVE-2021-45339 has a CVSS score of 7.8 (HIGH). This CVE describes a local privilege escalation vulnerability in Avast Antivirus where an attacker with local access can bypass Avast's self-defense mechanisms by hollowing trusted processes. This allows a low-privileged user to gain SYSTEM-level privileges on the affected system. Only users running vulnerable versions of Avast Antivirus are affected.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Avast Antivirus where an attacker with local access can bypass Avast's self-defense mechanisms by hollowing trusted processes. This allows a low-privileged user to gain SYSTEM-level privileges on the affected system. Only users running vulnerable versions of Avast Antivirus are affected.

💻 Affected Systems

Products:

Avast Antivirus
AVG Antivirus

Versions: Versions prior to 20.4

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. Both Avast and AVG products share the same codebase and are affected.

📦 What is this software?

Antivirus by Avast

View all CVEs affecting Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full SYSTEM privileges on the machine, enabling complete system compromise, installation of persistent malware, credential theft, and lateral movement within the network.

🟠

Likely Case

Local attackers or malware with initial foothold escalate privileges to bypass security controls, disable antivirus protection, and establish persistence.

🟢

If Mitigated

With proper patching, the vulnerability is eliminated; with network segmentation and least privilege, impact is limited to isolated systems.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access; not directly exploitable over the internet.

🏢 Internal Only: HIGH - Local attackers or malware with initial access can exploit this to gain full system control on vulnerable endpoints.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and some technical skill. Public proof-of-concept code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 20.4 and later

Vendor Advisory: https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast-0

Restart Required: Yes

Instructions:

1. Open Avast/AVG Antivirus. 2. Go to Menu → Settings → Update. 3. Click 'Update' to check for updates. 4. Install any available updates. 5. Restart the computer when prompted.

🔧 Temporary Workarounds

Disable vulnerable component

windows

Temporarily disable Avast self-defense feature (not recommended as it reduces security)

Right-click Avast tray icon → Avast shields control → Disable until computer is restarted

🧯 If You Can't Patch

Implement strict least privilege principles to limit local user access
Monitor for process hollowing techniques using EDR/antivirus tools

🔍 How to Verify

Check if Vulnerable:

Check Avast/AVG version in the application interface (Menu → About) or via 'wmic product get name,version' command

Check Version:

wmic product where "name like '%Avast%' or name like '%AVG%'" get name,version

Verify Fix Applied:

Confirm version is 20.4 or higher in Avast/AVG interface

📡 Detection & Monitoring

Log Indicators:

Unusual process creation events, especially from low-privilege users spawning SYSTEM-level processes
Avast service interruption logs

Network Indicators:

None - this is a local attack

SIEM Query:

Process Creation where (ParentImage contains 'avast' OR ParentImage contains 'avg') AND IntegrityLevel='System' AND User NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')

📊 Metadata

CVE ID: CVE-2021-45339

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: December 27, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/the-deniss/Vulnerability-Disclosures/tree/main/CVE-2021-AVST0 Exploit,Third Party Advisory
https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast-0 Vendor Advisory
https://github.com/the-deniss/Vulnerability-Disclosures/tree/main/CVE-2021-AVST0 Exploit,Third Party Advisory
https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast-0 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45339, you might also want to check these: