CVE-2023-5760 – A time-of-check to time-of-use (TOCTOU) vulnera... (How to Fix)

Q: What is the severity of CVE-2023-5760?

CVE-2023-5760 has a CVSS score of 8.2 (HIGH). A time-of-check to time-of-use (TOCTOU) vulnerability in Avast/AVG Antivirus allows local attackers to perform out-of-bounds writes through IOCTL requests, leading to privilege escalation. This affects users running Avast/AVG Antivirus version 23.8 on their systems.

📋 TL;DR

A time-of-check to time-of-use (TOCTOU) vulnerability in Avast/AVG Antivirus allows local attackers to perform out-of-bounds writes through IOCTL requests, leading to privilege escalation. This affects users running Avast/AVG Antivirus version 23.8 on their systems.

💻 Affected Systems

Products:

Avast Antivirus
AVG Antivirus

Versions: 23.8

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects version 23.8 of Avast/AVG Antivirus. Other versions are not vulnerable.

📦 What is this software?

Avg Antivirus by Avast

View all CVEs affecting Avg Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full local privilege escalation allowing an attacker to gain SYSTEM/root-level access and completely compromise the host.

🟠

Likely Case

Local privilege escalation from a standard user account to administrator/root privileges.

🟢

If Mitigated

Limited impact if antivirus is not installed or properly patched, though local access would still be required.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Malicious insiders or attackers with initial local access could exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and knowledge of TOCTOU exploitation techniques. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.9 or later

Vendor Advisory: https://support.norton.com/sp/static/external/tools/security-advisories.html

Restart Required: Yes

Instructions:

1. Open Avast/AVG Antivirus. 2. Navigate to Settings > Update. 3. Click 'Update' to download and install the latest version. 4. Restart your computer when prompted.

🔧 Temporary Workarounds

Disable Avast/AVG Antivirus

windows

Temporarily disable the antivirus software to prevent exploitation (not recommended for production environments).

Right-click Avast/AVG tray icon > Avast shields control > Disable for 10 minutes/1 hour/until computer restart

🧯 If You Can't Patch

Restrict local user access to systems running vulnerable Avast/AVG versions
Implement application whitelisting to prevent unauthorized process execution

🔍 How to Verify

Check if Vulnerable:

Check Avast/AVG version in the application interface (Menu > About) or via Control Panel > Programs and Features.

Check Version:

wmic product where "name like 'Avast%' or name like 'AVG%'" get version

Verify Fix Applied:

Verify the version is 23.9 or higher in the application interface.

📡 Detection & Monitoring

Log Indicators:

Unusual IOCTL requests to Avast/AVG drivers
Privilege escalation attempts from standard user accounts

Network Indicators:

None - this is a local exploitation vulnerability

SIEM Query:

EventID=4688 AND ProcessName LIKE '%avast%' AND NewProcessName LIKE '%cmd.exe%' OR NewProcessName LIKE '%powershell.exe%'

📊 Metadata

CVE ID: CVE-2023-5760

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-367

Published: November 8, 2023

Last Updated: November 21, 2024

🔗 References

https://support.norton.com/sp/static/external/tools/security-advisories.html Third Party Advisory
https://support.norton.com/sp/static/external/tools/security-advisories.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5760, you might also want to check these: