CVE-2024-13960
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in AVG TuneUp's service on Windows 10. Attackers with local access can exploit a TOCTTOU race condition via symbolic links to execute arbitrary code with SYSTEM privileges. Only users running AVG TuneUp Version 23.4 (build 15592) on Windows 10 are affected.
💻 Affected Systems
- AVG TuneUp
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, persistence installation, credential theft, and lateral movement.
Likely Case
Malicious local user or malware with initial foothold escalates to SYSTEM to bypass security controls, install backdoors, or disable security software.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Requires local access and knowledge of TOCTTOU/symbolic link exploitation techniques. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest patched version
Vendor Advisory: https://www.gendigital.com/us/en/contact-us/security-advisories/
Restart Required: Yes
Instructions:
1. Visit the vendor advisory URL. 2. Download and install the latest version of AVG TuneUp. 3. Restart the system to ensure the service update takes effect.
🔧 Temporary Workarounds
Disable AVG TuneUp Service
windowsTemporarily disable the vulnerable TuneUp service to prevent exploitation
sc stop "AVG TuneUp Service"
sc config "AVG TuneUp Service" start= disabled
Remove Symbolic Link Privileges
windowsRestrict creation of symbolic links to administrators only via Group Policy
gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Create symbolic links -> Remove all users except Administrators
🧯 If You Can't Patch
- Uninstall AVG TuneUp completely from affected systems
- Implement strict local access controls and monitor for suspicious privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check AVG TuneUp version in program settings or Control Panel. If version is 23.4 (build 15592), system is vulnerable.Check Version:
wmic product where name="AVG TuneUp" get versionVerify Fix Applied:
Verify AVG TuneUp version is updated beyond 23.4 (build 15592) and the service is running the updated binary.📡 Detection & Monitoring
Log Indicators:
- Unusual symbolic link creation events in Windows Security logs
- AVG TuneUp service spawning unexpected child processes with SYSTEM privileges
- Process creation from AVG TuneUp service to unusual locations
Network Indicators:
- No direct network indicators as this is local exploitation
SIEM Query:
EventID=4688 AND NewProcessName="*TuneUp*" AND SubjectUserName="SYSTEM" AND CommandLine CONTAINS suspicious_pattern