CVE-2019-17093 is a vulnerability discovered in all editions of Avast and AVG Antivirus programs.
It should be noted that exploiting the bug requires administrative privileges. Once these privileges are acquired, the attacker can load malicious DLL files in multiple processes.
CVE-2019-17093 in Detail
An issue was discovered in Avast antivirus before 19.8 and AVG antivirus before 19.8. A DLL Preloading vulnerability allows an attacker to implant %WINDIR%\system32\wbemcomn.dll, which is loaded into a protected-light process (PPL) and might bypass some of the self-defense mechanisms. This affects all components that use WMI, e.g., AVGSvc.exe 19.6.4546.0 and TuneupSmartScan.dll 19.1.884.0.
The vulnerability was discovered by SafeBreach Labs researchers. The researchers proved that “it was possible to load an arbitrary unsigned DLL into multiple processes that run as NT AUTHORITY\SYSTEM, even using Protected Process Light (PPL)”.
For the purpose of self-defense mechanisms, even administrators are not allowed to write DLL to the AM-PPL (Anti-Malware Protected Process Light). However, it turns out that the restriction can be circumvented by writing the DLL file to an unprotected folder which is used by an application to load components.
There are two particular reasons for this restriction to be bypassed. The first reason, as pointed out by the researchers, is the lack of safe DLL loading. The other cause is that code integrity is not enforced in the AM-PPL process.
According to Avast, currently the PPL restriction regarding signed DLLs (code integrity) is disabled in their implementation. As we demonstrated, this might lead to self-defense bypass, the report said.
CVE-2019-17093 Attack Scenarios
An attacker exploiting the vulnerability could be able to load and execute malicious payloads via multiple signed services, eventually leading to Application Whitelisting Bypass. Furthermore, the self-defense mechanism of the antivirus program could be bypassed as well, resulting in tampering with the Antivirus directory.
CVE-2019-17093 could also be used to load and execute payloads persistently. In other words, once a malicious DLL has been injected, the malicious code will be set to load on each system restart.
The researchers reported the bug to Avast in August. The company acknowledged the issue in September, and a fix was presented in version 19.8 of AVG and Avast. All versions below 19.8 are vulnerable and should be updated immediately.
Avast acquired AVG in 2016.