CVE-2024-7231
📋 TL;DR
This vulnerability in Avast Cleanup Premium allows local attackers to escalate privileges by exploiting a symbolic link issue in the Avast Cleanup Service. Attackers with initial low-privileged access can delete files and execute arbitrary code as SYSTEM. Users of Avast Cleanup Premium on Windows systems are affected.
💻 Affected Systems
- Avast Cleanup Premium
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM compromise allowing complete control over the system, installation of persistent malware, credential theft, and lateral movement.
Likely Case
Local privilege escalation from a standard user to SYSTEM, enabling installation of additional malware, disabling security controls, or accessing protected resources.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application control are implemented.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links. The vulnerability is well-documented in the ZDI advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Avast updates for latest version
Vendor Advisory: https://www.avast.com/en-us/support
Restart Required: Yes
Instructions:
1. Open Avast Cleanup Premium. 2. Navigate to Settings > Update. 3. Click 'Check for updates'. 4. Install any available updates. 5. Restart the system.
🔧 Temporary Workarounds
Disable Avast Cleanup Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc stop "Avast Cleanup Premium Service"
sc config "Avast Cleanup Premium Service" start= disabled
Remove symbolic link creation privileges
windowsRestrict ability to create symbolic links for standard users
secedit /export /cfg C:\secpol.cfg
Edit secpol.cfg to modify 'Create symbolic links' privilege
secedit /configure /db C:\windows\security\local.sdb /cfg C:\secpol.cfg /areas USER_RIGHTS
🧯 If You Can't Patch
- Uninstall Avast Cleanup Premium if not essential
- Implement application control to block execution of Avast Cleanup Service
🔍 How to Verify
Check if Vulnerable:
Check if Avast Cleanup Premium is installed and running the vulnerable service versionCheck Version:
Check Avast Cleanup Premium version in program interface or via 'wmic product where name="Avast Cleanup Premium" get version'Verify Fix Applied:
Verify Avast Cleanup Premium is updated to latest version and service is restarted📡 Detection & Monitoring
Log Indicators:
- Unusual symbolic link creation events
- Avast Cleanup Service process spawning unexpected child processes
- File deletion events in system directories
Network Indicators:
- No specific network indicators as this is local exploitation
SIEM Query:
Process Creation where (Image contains 'cleanup' OR ParentImage contains 'cleanup') AND CommandLine contains unusual parameters