CVE-2024-7233
📋 TL;DR
This vulnerability in Avast Free Antivirus allows local attackers to escalate privileges from a low-privileged user account to SYSTEM level by exploiting a symbolic link handling flaw in the Avast Service. Attackers must already have code execution on the target system to exploit this vulnerability. All users running vulnerable versions of Avast Free Antivirus are affected.
💻 Affected Systems
- Avast Free Antivirus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and full control over the affected system.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint security controls, least privilege principles, and application allowlisting are implemented.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links, which is typically available to standard users on Windows systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Avast security advisory for specific patched version
Vendor Advisory: https://support.avast.com/en-us/article/antivirus-windows-security-update-history/
Restart Required: Yes
Instructions:
1. Open Avast Free Antivirus
2. Navigate to Menu → Settings → Update
3. Click 'Update' to check for and install latest version
4. Restart computer when prompted
🔧 Temporary Workarounds
Disable Avast Service
windowsTemporarily disable the Avast Service to prevent exploitation (will disable antivirus protection)
sc stop AvastSvc
sc config AvastSvc start= disabled
Remove symbolic link creation privileges
windowsRestrict ability to create symbolic links via Group Policy
gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Create symbolic links
🧯 If You Can't Patch
- Implement strict least privilege principles to limit initial access vectors
- Deploy application allowlisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Avast version against patched version in vendor advisory. Vulnerable if running affected version with AvastSvc running as SYSTEM.Check Version:
"C:\Program Files\Avast Software\Avast\AvastUI.exe" /? or check About in Avast interfaceVerify Fix Applied:
Verify Avast version is updated to patched version and restart system. Test symbolic link creation in controlled environment.📡 Detection & Monitoring
Log Indicators:
- Unusual symbolic link creation events in Windows Security logs
- Avast Service (AvastSvc) process spawning unexpected child processes
- File deletion events in protected system directories
Network Indicators:
- No direct network indicators - this is a local privilege escalation
SIEM Query:
EventID=4656 AND ObjectName LIKE '*\??\*' AND AccessMask=0x2 (symbolic link creation) OR ProcessName='AvastSvc.exe' AND ChildProcess NOT IN expected_process_list