CVE-2024-13962
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Avast Cleanup Premium's TuneupSvc service on Windows. Attackers with local access can exploit a TOCTTOU race condition via symbolic links to execute arbitrary code with SYSTEM privileges. Only users running the specific vulnerable version on Windows systems are affected.
💻 Affected Systems
- Gen Digital Inc. Avast Cleanup Premium
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, persistence establishment, credential theft, and lateral movement capabilities.
Likely Case
Local attacker escalates from limited user to SYSTEM privileges, allowing installation of malware, disabling security controls, and accessing protected system resources.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Requires local access and ability to create symbolic links. TOCTTOU race conditions can be challenging to exploit reliably.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest patched version
Vendor Advisory: https://www.gendigital.com/us/en/contact-us/security-advisories/
Restart Required: Yes
Instructions:
1. Open Avast Cleanup Premium. 2. Navigate to Settings > Update. 3. Click 'Check for updates'. 4. Install any available updates. 5. Restart the system.
🔧 Temporary Workarounds
Disable TuneupSvc Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc stop TuneupSvc
sc config TuneupSvc start= disabled
Remove Symbolic Link Privileges
windowsRemove SeCreateSymbolicLinkPrivilege from standard users via Group Policy
🧯 If You Can't Patch
- Uninstall Avast Cleanup Premium from affected systems
- Implement strict local access controls and monitor for suspicious privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Avast Cleanup Premium version in Settings > About. If version is 24.2.16593.17810, system is vulnerable.Check Version:
wmic product where "name like 'Avast Cleanup%'" get versionVerify Fix Applied:
Verify version is updated beyond 24.2.16593.17810 and TuneupSvc service is running with latest binaries.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Security ID changes, privilege escalation events, service control manager events for TuneupSvc
- Application logs showing unexpected TuneupSvc behavior
Network Indicators:
- Local privilege escalation typically has minimal network indicators
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%TuneupSvc%' OR CommandLine LIKE '%symlink%')