CVE-2024-7237
📋 TL;DR
This vulnerability in AVG AntiVirus Free allows local attackers to escalate privileges from a low-privileged user account to SYSTEM level by exploiting a symbolic link handling flaw in the AVG Service. Attackers must first gain execution capability on the target system. Only AVG AntiVirus Free installations are affected.
💻 Affected Systems
- AVG AntiVirus Free
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege compromise allowing complete control of the system, installation of persistent malware, credential theft, and lateral movement.
Likely Case
Local privilege escalation leading to SYSTEM-level code execution, enabling attackers to bypass security controls and maintain persistence.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application control are implemented.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links. The vulnerability is well-documented in ZDI advisory ZDI-24-1007.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check AVG AntiVirus Free updates for latest version
Vendor Advisory: https://www.avg.com/en-us/security-advisories
Restart Required: Yes
Instructions:
1. Open AVG AntiVirus Free. 2. Click Menu → Settings → Update. 3. Click Update now. 4. Restart computer when prompted.
🔧 Temporary Workarounds
Disable AVG Service
windowsTemporarily disable the AVG Service to prevent exploitation
sc stop AVGSvc
sc config AVGSvc start= disabled
Remove Symbolic Link Privileges
windowsRemove SeCreateSymbolicLinkPrivilege from standard user accounts
secedit /export /cfg secpol.cfg
Edit secpol.cfg to remove SeCreateSymbolicLinkPrivilege from Users
secedit /configure /db secpol.sdb /cfg secpol.cfg
🧯 If You Can't Patch
- Uninstall AVG AntiVirus Free and replace with alternative antivirus solution
- Implement strict application control policies to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check if AVG AntiVirus Free is installed and AVGSvc service is running: sc query AVGSvcCheck Version:
Check AVG interface for version or examine installed programs in Control PanelVerify Fix Applied:
Verify AVG AntiVirus Free is updated to latest version and check service version📡 Detection & Monitoring
Log Indicators:
- AVG service logs showing unexpected folder deletion operations
- Windows Event Logs showing symbolic link creation by non-admin users
- Process creation events showing AVGSvc spawning unexpected processes
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
EventID=4688 AND ProcessName="AVGSvc.exe" AND ParentProcessName NOT IN ("services.exe", "svchost.exe")