Avira Prime Link Following Local Privilege Escalation Vulnerability

Vulnerability

The vulnerability is a link following flaw in the Avira Spotlight Service component of Avira Prime. The service improperly handles symbolic links when performing file operations. An attacker with low-privileged code execution on the system can create a symbolic link that the service, running with SYSTEM privileges, will follow, leading to the deletion of an arbitrary file. The exact affected versions of Avira Prime are not specified in the available reference [1], but the flaw is present in the Spotlight Service.

Exploitation

To exploit this vulnerability, an attacker must first obtain the ability to execute low-privileged code on the target system. The attacker then creates a symbolic link pointing to a target file that they wish to delete. When the Avira Spotlight Service performs a file operation (likely a delete operation) on the path controlled by the attacker, it follows the symbolic link and deletes the file at the target location. This action is performed in the context of the SYSTEM account. The attacker can leverage this to delete critical system files or to set up a condition for privilege escalation, such as deleting a file that is then replaced with a malicious version.

Impact

Successful exploitation allows the attacker to delete arbitrary files as SYSTEM. This can be leveraged to escalate privileges and execute arbitrary code in the context of SYSTEM, resulting in full compromise of the affected system. The CVSS score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

As of the publication date of this CVE (2024-05-22), Avira has not released a security update to address this vulnerability. No workarounds are documented in the available reference [1]. Users are advised to monitor Avira's security advisories for a patch. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.