Windows Hard Link in Avast Secure Browser - CVE-2019-17190
Published: March 21, 2020
Vulnerability identifier: #VU26291
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-17190
CWE-ID: CWE-65
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vendor: Avast Software s.r.o.
Affected software:
Avast Secure Browser
Avast Secure Browser
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to software sets insecure permission to C:\ProgramData\AVAST SOFTWARE\Browser\Update\Update.ini file. This file is used during application update procedure and its permissions are replaced by the "AvastBrowserUpdate.exe" program, which runs under "NT AUTHORITY\SYSTEM" account. A local user can create a hard link from the Update.ini file to any file on the system and replace permissions of arbitrary file.
Successful exploitation of the vulnerability may allow an attacker to escalate privileges on the system.
How to mitigate CVE-2019-17190
Install updates from vendor's website.