CSP-CERT® Resources:
CVE-2018-12572: Avast Anti-Virus Local Credentials Disclosure

by CSP CERT® Vulnerability Research Team
posted January 2019

The CSP-CERT Vulnerability Research Team discovered a local credentials disclosure vulnerability on Avast Anti-Virus specifically versions before 19.1.2360 (build 19.1.4142.0).

Vulnerability Information

CWE-316: Cleartext Storage of Sensitive Information in Memory

Avast Anti-Virus before version 19.1.2360 (build 19.1.4142.0) is vulnerable to having credentials of a user exposed as plain text in memory. The sensitive information might be saved to disk, stored in a core dump, or remain uncleared if the application crashes after the licensing login process occurs.

Impact

Local users may be able to recover sensitive information in cleartext such as the email and password of the registered Avast user.

Mitigation

It was found that closing the main window after the user account login and opening it again clears the sensitive information from memory however, the latest update of Avast doesn’t store this information anymore so it is recommended to update to the latest version.

Vendor Information

  • Vendor: Avast
  • Date Notified: June 15, 2018
  • Public Disclose: January 17, 2019

Credits

CSP-CERT Vulnerability Research Team

References