CVE-2024-7229
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on systems running Avast Cleanup Premium. Attackers with initial low-privileged access can exploit a symbolic link handling flaw in the Avast Cleanup Service to delete files and ultimately execute arbitrary code as SYSTEM. Only users of Avast Cleanup Premium are affected.
💻 Affected Systems
- Avast Cleanup Premium
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and control the entire system.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, enabling installation of additional malware, credential harvesting, and lateral movement within the network.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application control are implemented, preventing initial low-privileged code execution.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links. The vulnerability is well-documented in ZDI advisory ZDI-24-1002, making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references; check latest Avast Cleanup Premium updates
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-1002/
Restart Required: Yes
Instructions:
1. Open Avast Cleanup Premium
2. Navigate to Settings > Update
3. Check for and install available updates
4. Restart the system to ensure service updates are applied
🔧 Temporary Workarounds
Disable Avast Cleanup Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc stop "Avast Cleanup Premium Service"
sc config "Avast Cleanup Premium Service" start= disabled
Remove Symbolic Link Privileges
windowsRemove SeCreateSymbolicLinkPrivilege from standard users via Group Policy
gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Create symbolic links
🧯 If You Can't Patch
- Uninstall Avast Cleanup Premium completely
- Implement application control to block execution of Avast Cleanup Service
🔍 How to Verify
Check if Vulnerable:
Check if Avast Cleanup Premium is installed and the service is running: sc query "Avast Cleanup Premium Service"Check Version:
Check program version in Control Panel > Programs and Features or via Avast Cleanup Premium interfaceVerify Fix Applied:
Verify service version after update and ensure symbolic link exploitation attempts fail📡 Detection & Monitoring
Log Indicators:
- Event ID 4688: Process creation for Avast Cleanup Service with suspicious parent processes
- Event ID 4663: File deletion attempts via Avast Cleanup Service
- Symbolic link creation events in security logs
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
source="windows" (event_id=4688 AND process_name="*AvastCleanup*" AND parent_process_name!="services.exe") OR (event_id=4663 AND process_name="*AvastCleanup*")