Headline
CVE-2022-3368: Norton Security Advisories
A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.
NLOKSA1507
Software Updater of Avira Security for Windows vulnerable to Privilege Escalation
Advisory Status
CLOSED
Summary
NortonLifeLock has released an update to address an issue that was discovered in the software updater functionality of Avira Security.
Affected Products
“Avira Security” – for Windows; up to version 1.1.71.30554
Issues
Mitigation
Upgrade Avira Security for Windows to version 1.1.72.30556. This version was released on 15. August 2022 to all customers. All users received the update automatically and do not need to take any action.
Acknowledgements
Filip Dragovic
CVE-2022-3368
Severity/CVSSv3
High
Score: 7.3
Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References
Filip Dragovic
Impact
Privilege Escalation
Description
A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.
Additional Recommendations, if any:
We encourage customers to ensure their security software – as well as their tech devices – are always updated to the latest version available.
NLOKSA1506
Avira Password Manager-Browser Extensions vulnerable to Sensitive Data Leakage via Phishing
Advisory Status
CLOSED
Summary
NortonLifeLock has released an update to address an issue that was discovered in Avira Password Manager Browser Extension
Affected Products
Only the following software is affected:
- “Avira Password Manager” - extension for Chrome; version 2.18.4.3868
- “Avira Password Manager” - extension for MS Edge; version 2.18.4.3847
- “Avira Password Manager” - extension for Opera; version 2.18.4.3847
- “Avira Password Manager” - extension for Firefox; version 2.18.4.38471
- “Avira Password Manager” - extension for Safari; version 2.18.4
Issues
Mitigation
Upgrade extensions to following versions:
- “Avira Password Manager” - extension for Chrome; version 2.18.5.3877
- “Avira Password Manager” - extension for MS Edge; version 2.18.5.3877
- “Avira Password Manager” - extension for Opera; version 2.18.5.3877
- “Avira Password Manager” - extension for Firefox; version 2.18.5.38771
- “Avira Password Manager” - extension for Safari; version 2.18.5 (3877)
Users who have not disabled auto-updates receive the updated versions automatically and do not need to take any action
Acknowledgements
Stiftung Warentest
CVE-2022-28795
Severity/CVSSv3
Critical
Score: 9.6
Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References
https://nvd.nist.gov/vuln/detail/CVE-2022-28795
Impact
Sensitive Data Leakage
Description
A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari.
Additional Recommendations, if any:
We encourage customers to ensure their security software - as well as their tech devices - are always updated to the latest version available. In addition, we encourage users to use two-factor (2FA) authentication as an additional layer of security.