Avast Antivirus’s Password Manager vulnerability – Improper Session Handling leading to Information Disclosure Advisory

Recently a vulnerability was identified within Avast Password Manager, where User’s sensitive data including Master password, saved website password, Credit card, SSN/Passport/DL No, etc. is accessible even after logout/closing the Windows desktop app.

Vulnerable Version: Avast Antivirus Windows Desktop app Build Version:20.1.5069.562, UI Version:1.0.460

Platform: Windows 64bit

CVSS Score: 5.5

CVSS v3.0 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Fix status: Still Open (May’20)

Disclosure date: 02 Feb, 2020

Vulnerability Description: While using Login Password functionality, it was observed that upon login to Avast Password Manager within Avast desktop application for Windows 10, it saved password within Windows main memory. However, while user explicitly logs out And/OR lock vault from account of Avast, data would not be wiped from main memory. Later on, anybody having access would be able to read the password in clear-text by previously logged in user.

Exploitability Rational: In order to exploit this the attacker needs to have Windows machine access (Admin/Limited user can exploit this vulnerability, depending upon by which Windows account privilege Avast was launched). If user completely restarts machine or kills process from task manager then this data would be wiped off. And it was also observed that password within process can be read by another Windows admin user within same Windows machine (so physically unlocked system dependency is not required).

Impact Rational: It would cause loss of data confidentiality, based on what passwords/CC info etc. have been saved.

It could be possible that within a corporate environment multiple Admin user account are present within a Windows machine, so this might cause loss of privacy where passwords/other sensitive info of 1 Admin User are accessible to Another admin. Or if victim account is compromised, then even if it was logged out, it would lead to loss of confidentiality for other user.

Steps to Reproduce:

  1. Login as Windows user1
  2. From Privacy > Passwords, Add Login form password and set Master password also. Verify what you have typed by clicking on eye icon to view in cleartext.
  3. (Optional)Login to Avast account to sync passwords and again click on eye icon to view unmasked password.
  4. Sign out of Avast Account windows application and Lock the vault as well.
  5. Do not kill the process manually
  6. Using Task manager / Process hacker2 dump memory. You would notice that the plain-text password could be retrieved from this memory dump. (Optional) You can also login to another Windows Admin user and access same process memory dump.

Temporary Workaround: Restart Windows machine or logout Windows user or kill the process using task manager responsible to the application.

Recommendation for Avast developers: Running garbage collector upon any such events. OR To kill the process and spawn new, so that OS will take care of disposal of data in memory for old process.

– Kartik Lalan