ESET Fixes Privilege Escalation Bug Affecting Windows UsersFirewall Service Provider Releases Updates, Says No Exploits Reported Yet
ESET, an antivirus and firewall service provider, says it has patched a high-severity privilege escalation bug affecting its clients who use Windows-based systems.
The bug affects several ESET product versions, specified below, that cater to Windows-based systems, the company says, adding that products running on Windows 10 and later, or Windows Server 2016 and later, are "particularly susceptible" to the vulnerability.
There have been no reports that the flaw has been exploited so far, a company spokesperson tells Information Security Media Group.
CVE-2021-37852 is a local privilege escalation vulnerability found by Michael DePlante, a senior security researcher at Trend Micro Zero Day Initiative, or ZDI. He reported the bug to ESET on Nov. 18, 2021, according to ESET's advisory.
The vulnerability lets an "attacker who is able to get SeImpersonatePrivilege misuse the AMSI scanning feature to elevate to NT AUTHORITYSYSTEM in some cases. SeImpersonatePrivilege is by default available to the local administrators group and the device's local service accounts, which are already highly privileged and thus limit the impact of this vulnerability," ESET says in the advisory, citing the ZDI report.
According to ESET's advisory, exploitation is only possible if the attackers gain "SeImpersonatePrivilege" rights. But ZDI, in its advisory, states that an "attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability."
"The specific flaw exists within the use of named pipes. The issue results from allowing an untrusted process to impersonate the client of a pipe. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM," the ZDI advisory says.
ESET products affected by the vulnerability include:
- ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security and ESET Smart Security Premium from version 10.0.337.1 to 22.214.171.124;
- ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows from version 6.6.2046.0 to 9.0.2032.4;
- ESET Server Security for Microsoft Windows Server 8.0.12003.0 and 8.0.12003.1, ESET File Security for Microsoft Windows Server from version 7.0.12014.0 to 7.3.12006.0;
- ESET Server Security for Microsoft Azure from version 7.0.12016.1002 to 7.2.12004.1000;
- ESET Security for Microsoft SharePoint Server from version 7.0.15008.0 to 8.0.15004.0;
- ESET Mail Security for IBM Domino from version 7.0.14008.0 to 8.0.14004.0;
- ESET Mail Security for Microsoft Exchange Server from version 7.0.10019 to 8.0.10016.0.
Apart from these products, ESET has advised its Server Security for Microsoft Azure users to upgrade to the latest version of ESET Server Security for Microsoft Windows Server.
ESET has alternatively devised a workaround to eliminate the attack surface.
The ESET spokesperson tells ISMG that "the attack surface can also be eliminated by disabling the "enable advanced scanning via AMSI" option in ESET products' advanced setup. This should only be used, however, when clients cannot upgrade their products immediately, they say.
When Security Products Have Bugs
It is assumed that cybersecurity vendors take more care to ensure their products are protected, but history has shown that is not always the case, says Chris Clements, vice president of solutions architecture firm Cerberus Sentinel.
A cyberattack targeting security products must be a part of any organization's risk management plan, he tells ISMG.
"Vulnerabilities in security products meant to keep organizations safe can be especially pernicious as they may provide threat actors with not just a means of exploiting a device but bypass the very defensive controls for protection in the process," he says.
"To protect themselves, organizations must adopt a culture of security that is tolerant of individual component failures that may lead to a breach. In this case, careful monitoring of the behavior of the device could trigger an alert of suspicious behavior, even if that behavior came from the antivirus software."