CVE-2024-9484
📋 TL;DR
A null pointer dereference vulnerability in AVG/Avast Antivirus for macOS allows attackers to crash the antivirus application by processing a specially crafted XAR archive file. This affects macOS users running AVG/Avast Antivirus with signatures older than version 24092400 released on September 24, 2024. The vulnerability resides in the engine module during file processing.
💻 Affected Systems
- AVG Antivirus for macOS
- Avast Antivirus for macOS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete antivirus service disruption leading to loss of real-time protection, potentially enabling follow-on malware attacks while the antivirus is crashed.
Likely Case
Denial of service through antivirus application crash, requiring manual restart of the antivirus service to restore protection.
If Mitigated
Minimal impact if antivirus auto-restarts quickly, though brief protection gaps could occur during restart.
🎯 Exploit Status
Exploitation requires delivering a malicious XAR file to the target system and triggering antivirus scan/processing of that file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Signature database version 24092400 or newer
Vendor Advisory: https://support.norton.com/sp/static/external/tools/security-advisories.html
Restart Required: No
Instructions:
1. Open AVG/Avast Antivirus. 2. Navigate to Settings/Preferences. 3. Check for updates. 4. Ensure signature database updates to version 24092400 or newer. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable automatic XAR file processing
macOSConfigure antivirus to exclude XAR files from automatic scanning
Restrict XAR file execution
macOSUse macOS security controls to block execution of XAR files from untrusted sources
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of XAR files
- Deploy network segmentation to limit file transfer capabilities to vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check antivirus signature database version in AVG/Avast interface; if older than 24092400, system is vulnerable.Check Version:
Check via AVG/Avast GUI: Settings → About or similar menu for signature versionVerify Fix Applied:
Confirm signature database shows version 24092400 or newer in antivirus settings.📡 Detection & Monitoring
Log Indicators:
- Antivirus service crash logs
- Unexpected antivirus process termination
- Error logs mentioning XAR file processing failures
Network Indicators:
- Unusual file transfers of XAR archives to vulnerable systems
SIEM Query:
source="antivirus_logs" AND (event="crash" OR event="service_stopped") AND process="avg" OR process="avast"