Headline
CVE-2022-31466: Privilege escalation vulnerability fixed in Quick Heal Total Security
Quick Heal Total Security before 12.1.1.27 has a TOCTOU race condition that leads to privilege escalation. It may follow a symlink that was created after a malware check.
Description:
A Privilege escalation vulnerability was reported in the Quick Heal Total Security version prior to 12.1.1.27 that could allow an adversary to bypass Quick Heal’s self-protection.
CVSS Score: 7.3 High
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H/E:P/RL:U/RC:R
Security Impact:
Could potentially be abused to delete an arbitrary file on the system protected by self-protection.
Technical Root Cause of the vulnerability
1. Essentially a Time of Check, Time of Use issue (TOCTOU), where malware is detected first but when the delete/quarantine action has performed the file has changed to a symlink
2. Failure to detect a symlink and blindly following the symlink path to perform high privilege actions
Date of Fix Publication: March 23rd, 2021
Remediation:
Quick Heal Total Security users are recommended to upgrade to v12.1.1.27 and above.
Vulnerability Reporter: Sandeep Kumar Singh