Avira Internet Security Improper Link Resolution Vulnerability in Software Updater Component Allowing Arbitrary File Deletion

A vulnerability exists in Avira Internet Security's Software Updater component, where a privileged service running as SYSTEM deletes files from the ProgramData directory without checking if the path is a symbolic link or reparse point. This flaw allows local attackers to create malicious links that redirect the deletion to arbitrary files, potentially leading to unauthorized file removals with SYSTEM privileges. Exploitation of this vulnerability could result in local privilege escalation, denial of service, or compromise of system integrity, depending on the file targeted and the system's configuration. The vulnerability affects Avira Internet Security versions through 1.1.109.1990.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion with SYSTEM privileges. This could be used to escalate privileges to SYSTEM, especially on Windows versions prior to 24H2, or to cause a denial of service or system integrity compromise by targeting specific files, depending on the operating system configuration.

Reproduction

The vulnerability can be reproduced by creating a symbolic link that points to a file in the ProgramData directory. Once the link is in place, the Avira Software Updater can be triggered to run an update. During the update process, the Software Updater will follow the symbolic link and delete the file that the link points to, effectively allowing for arbitrary file deletion with SYSTEM privileges.

Remediation

Users can update to Avira Internet Security version 1.1.114.3113 or later, where this vulnerability has been fixed.