First published: Thu Aug 29 2019(Updated: )
An issue was discovered in Avira Free Security Suite 10. The permissive access rights on the SoftwareUpdater folder (files / folders and configuration) are incompatible with the privileged file manipulation performed by the product. Files can be created that can be used by an unprivileged user to obtain SYSTEM privileges. Arbitrary file creation can be achieved by abusing the SwuConfig.json file creation: an unprivileged user can replace these files by pseudo-symbolic links to arbitrary files. When an update occurs, a privileged service creates a file and sets its access rights, offering write access to the Everyone group in any directory.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Avira Free Security Suite | =2019 | |
Avira Software Updater | <=2.0.6.13175 | |
Microsoft Windows |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-11396 is a vulnerability discovered in Avira Free Security Suite 10 that allows unprivileged users to escalate their privileges on Windows systems.
CVE-2019-11396 impacts Avira Free Security Suite by allowing unprivileged users to create files that can be used to escalate their privileges on Windows systems.
CVE-2019-11396 has a severity rating of 7.8 (out of 10), indicating a high severity level.
Avira Free Security Suite 2019 and Avira Software Updater version 2.0.6.13175 are affected by CVE-2019-11396.
To fix CVE-2019-11396, it is recommended to update Avira Free Security Suite and Avira Software Updater to the latest versions available.