Advisory Details

July 29th, 2024

(0Day) Avast Free Antivirus Link Following Denial-of-Service Vulnerability

ZDI-24-999
ZDI-CAN-22806

CVE ID	CVE-2024-7228
CVSS SCORE	6.1, AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
AFFECTED VENDORS	Avast
AFFECTED PRODUCTS	Free Antivirus
VULNERABILITY DETAILS	This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Avast Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Avast Service. By creating a symbolic link, an attacker can abuse the service to create a folder. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
ADDITIONAL DETAILS	12/11/23 – ZDI reported the vulnerability to Avast’s Security Reports team. 02/12/24 – ZDI asked for updates. 02/23/24 – ZDI asked for updates. 03/15/24 – ZDI informed the vendor that since we have not received a response that we will publish the case as a zero-day advisory on 03/27/24 04/25/24 – A Gen Digital team member communicated that all the security issues should be submitted via a third-party Vulnerability Disclosure program 05/22/24 – ZDI resubmitted the vulnerability to the third-party Vulnerability Disclosure program 06/19/24 – ZDI asked for updates 07/26/24 – ZDI informed the vendor that since we have not received a response that we will publish the case as a zero-day advisory on 07/29/24 -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
DISCLOSURE TIMELINE	2023-12-11 - Vulnerability reported to vendor 2024-07-29 - Coordinated public release of advisory 2024-08-15 - Advisory Updated
CREDIT	Nicholas Zubrisky (@NZubrisky) and Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative

BACK TO ADVISORIES