Application Security , Governance & Risk Management , Incident & Breach Response

Eset Fixes Privilege Escalation Bug Affecting Windows Users

Firewall Service Provider Releases Updates, Says No Exploits Reported Yet
Eset Fixes Privilege Escalation Bug Affecting Windows Users
(Source: Eset Website)

Eset, an antivirus and firewall service provider, says it has patched a high-severity privilege escalation bug affecting its clients who use Windows-based systems.

See Also: Preventing Attacker Access to Legacy and other Untouchable Systems

Attackers could have exploited the vulnerability, tracked as CVE-2021-37852, to misuse its Antimalware Scan Interface under certain conditions, according to a security advisory.

The bug affects several Eset product versions, specified below, that cater to Windows-based systems, the company says, adding that products running on Windows 10 and later, or Windows Server 2016 and later, are "particularly susceptible" to the vulnerability.

There have been no reports that the flaw has been exploited so far, a company spokesperson tells Information Security Media Group.

The Vulnerability

CVE-2021-37852 is a local privilege escalation vulnerability found by Michael DePlante, a senior security researcher at Trend Micro Zero Day Initiative, or ZDI. He reported the bug to Eset on Nov. 18, 2021, according to Eset's advisory.

The vulnerability lets an "attacker who is able to get SeImpersonatePrivilege misuse the AMSI scanning feature to elevate to NT AUTHORITYSYSTEM in some cases. SeImpersonatePrivilege is by default available to the local administrators group and the device's local service accounts, which are already highly privileged and thus limit the impact of this vulnerability," Eset says in the advisory, citing the ZDI report.

According to Eset's advisory, exploitation is only possible if the attackers gain "SeImpersonatePrivilege" rights. But ZDI, in its advisory, states that an "attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability."

"The specific flaw exists within the use of named pipes. The issue results from allowing an untrusted process to impersonate the client of a pipe. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM," the ZDI advisory says.

Products Affected

Eset products affected by the vulnerability include:

  • Eset NOD32 Antivirus, Eset Internet Security, Eset Smart Security and Eset Smart Security Premium from version 10.0.337.1 to 15.0.18.0;
  • Eset Endpoint Antivirus for Windows and Eset Endpoint Security for Windows from version 6.6.2046.0 to 9.0.2032.4;
  • Eset Server Security for Microsoft Windows Server 8.0.12003.0 and 8.0.12003.1, Eset File Security for Microsoft Windows Server from version 7.0.12014.0 to 7.3.12006.0;
  • Eset Server Security for Microsoft Azure from version 7.0.12016.1002 to 7.2.12004.1000;
  • Eset Security for Microsoft SharePoint Server from version 7.0.15008.0 to 8.0.15004.0;
  • Eset Mail Security for IBM Domino from version 7.0.14008.0 to 8.0.14004.0;
  • Eset Mail Security for Microsoft Exchange Server from version 7.0.10019 to 8.0.10016.0.

Apart from these products, Eset has advised its Server Security for Microsoft Azure users to upgrade to the latest version of Eset Server Security for Microsoft Windows Server.

Workaround Available

Eset has alternatively devised a workaround to eliminate the attack surface.

The Eset spokesperson tells ISMG that "the attack surface can also be eliminated by disabling the "enable advanced scanning via AMSI" option in Eset products' advanced setup. This should only be used, however, when clients cannot upgrade their products immediately, they say.

When Security Products Have Bugs

It is assumed that cybersecurity vendors take more care to ensure their products are protected, but history has shown that is not always the case, says Chris Clements, vice president of solutions architecture firm Cerberus Sentinel.

A cyberattack targeting security products must be a part of any organization's risk management plan, he tells ISMG.

"Vulnerabilities in security products meant to keep organizations safe can be especially pernicious as they may provide threat actors with not just a means of exploiting a device but bypass the very defensive controls for protection in the process," he says.

"To protect themselves, organizations must adopt a culture of security that is tolerant of individual component failures that may lead to a breach. In this case, careful monitoring of the behavior of the device could trigger an alert of suspicious behavior, even if that behavior came from the antivirus software."


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.