CVE-2019-11396

Name of the Vulnerable Software and Affected Versions Avira Free Security Suite version 10

Description An issue in Avira Free Security Suite allows unprivileged users to obtain SYSTEM privileges due to permissive access rights on the SoftwareUpdater folder. This can be exploited by creating pseudo-symbolic links to arbitrary files, which can be used to achieve arbitrary file creation when an update occurs. The privileged service sets access rights, offering write access to the Everyone group in any directory.

Recommendations For Avira Free Security Suite version 10, consider restricting access to the SoftwareUpdater folder and its configuration files to prevent unprivileged users from replacing files with pseudo-symbolic links until a fix is available. As a temporary workaround, restrict write access to the Everyone group in any directory to minimize the risk of exploitation.