AVG Slammed For Not Patching ‘Critical Flaws’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

AVG fixes one of four vulnerabilities in remote administration tool, but researchers who uncovered the flaws aren’t happy with the security firm

Security provider AVG has been criticised by researchers who uncovered a slew of critical flaws in its remote access software.

Four vulnerabilities were uncovered in the AVG Remote Administration tool, which is used by network administrators to install, update and configure AVG security software.

Researchers from Austria-based SEC Consult Vulnerability Lab said they had found “severe design flaws in the application as well as the proprietary protocol”.

AVG Ragged patches LogoAVG ‘too slow to respond’

One vulnerability allowed an attacker to set arbitrary configuration settings for the AVG Administration Server and trick the target server into executing what it believes are shared files. Such an attack would grant the hacker “full access on the operating system as the AVG Admin Server runs as SYSTEM”.

That was the one vulnerability AVG deemed worthy of a patch, yet the others, including and authentication bypass of the admin server and weak encryption, have been left open, according to the SEC Consult researchers.

AVG was criticised by SEC Consult for not responding quickly enough, having been initially contacted in January.

The firm’s CTO responded in March and in April said he only believed one of the four flaws was of high risk, ranking the others as medium to low risk, according to SEC Consult’s advisory. He also pointed out that the vulnerable tool was no longer sold to new customers.

The researchers suggested in their advisory disabling AVG Remote Administration entirely.

“AVG did not react in a professional way,” Johannes Greil, head of SEC Consult Vulnerability Lab told TechWeekEurope.

“It seems their incident process for reported vulnerabilities is lacking. It took us quite some time to get a contact person as there are no security contact information online and support directed us to sales.

“As a last resort (we were already preparing an advisory release according to our responsible disclosure policy) we reached out to the CTO via LinkedIn – which is not a platform we usually use for contacting a company regarding identified vulnerabilities.

“The non-patched vulnerabilities are critical as attackers can gain access to the server with administrative access rights because password verification takes place at the client and not at the server.”

UPDATE: AVG has issued the following statement: “AVG is aware of a report published by Sec Consult Vulnerability Lab, an independent security consulting firm. Prior to the report’s publication, we responded to Sec Consult’s claims that our AVG Remote Management product contained vulnerabilities.

“Of the alleged vulnerabilities, we concluded that only one – Remote Code Execution – required an immediate patch, which was issued on April 29. AVG has reviewed and classified the other alleged vulnerabilities as not requiring an immediate patch.

“In line with the company’s ongoing product maintenance program, these will be addressed if needed in a future update.”

What do you know about Internet security? Find out with our quiz!