ESET has just released updates to address a local privilege escalation vulnerability discovered in all of its windows clients, which allows threat actors to escalate privileges and execute arbitrary code.
On November 18, 2021, cybersecurity experts at Zero Day Initiative (ZDI) detected and documented a vulnerability as "CVE-2021-37852," which is characterised as severe in terms of severity since it allows threat actors to exploit the AMSI scanning function.
Flaw Profile
CVE ID: CVE-2021-37852
CVSS SCORE: 7.0, (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
AFFECTED VENDORS: ESET
AFFECTED PRODUCTS: Endpoint Antivirus
DESCRIPTION: ESET Endpoint Antivirus Unnecessary Privileges Local Privilege Escalation Vulnerability.
DISCLOSURE TIMELINE: 2021-06-18 – Vulnerability reported to vendor & 2022-01-31 – Coordinated public release of advisory.
FINDING CREDIT: Michael DePlante (@izobashi) of Trend Micro’s Zero Day Initiative.
Programs Affected
All of ESET's impacted applications, along with their corresponding versions, are listed below:
ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, and ESET Smart Security Premium from version 10.0.337.1 to 15.0.18.0
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows from version 6.6.2046.0 to 9.0.2032.4
ESET Server Security for Microsoft Windows Server 8.0.12003.0 and 8.0.12003.1, ESET File Security for Microsoft Windows Server from version 7.0.12014.0 to 7.3.12006.0
ESET Server Security for Microsoft Azure from version 7.0.12016.1002 to 7.2.12004.1000
ESET Security for Microsoft SharePoint Server from version 7.0.15008.0 to 8.0.15004.0
ESET Mail Security for IBM Domino from version 7.0.14008.0 to 8.0.14004.0
ESET Mail Security for Microsoft Exchange Server from version 7.0.10019 to 8.0.10016.0
Here's what ESET had to say:
"An attacker with SeImpersonatePrivilege access can use the AMSI scan function to raise privileges to NT AUTHORITY SYSTEM."
By default, the local Administrators group and local device service accounts have access to SeImpersonatePrivilege. However, all of these accounts already have pretty high rights, thus the consequence of this issue is minimal.
Solutions
Furthermore, ESET has already developed a list of fixed products that are not susceptible, which is shown below:
ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, and ESET Smart Security 15.0.19.0 (released on December 8, 2021)
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 9.0.2032.6 and 9.0.2032.7 (released on December 16, 2021)
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 8.0.2028.3, 8.0.2028.4, 8.0.2039.3, 8.0.2039.4, 8.0.2044.3, 8.0.2044.4, 8.1.2031.3, 8.1.2031.4, 8.1.2037.9 and 8.1.2037.10 (released on January 25, 2022)
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 7.3.2055.0 and 7.3.2055.1 (released on January 31, 2022)
ESET Server Security for Microsoft Windows Server 8.0.12010.0 (released on December 16, 2021)
ESET File Security for Microsoft Windows Server 7.3.12008.0 (released on January 12, 2022)
ESET Security for Microsoft SharePoint Server 8.0.15006.0 (released on December 16, 2021)
ESET Security for Microsoft SharePoint Server 7.3.15002.0 (released on January 12, 2022)
ESET Mail Security for IBM Domino 8.0.14006.0 (released on December 16, 2021)
ESET Mail Security for IBM Domino 7.3.14003.0 (released on January 26, 2021)
ESET Mail Security for Microsoft Exchange Server 8.0.10018.0 (released on December 16, 2021)
ESET Mail Security for Microsoft Exchange Server 7.3.10014.0 (released on January 26, 2022)
A number of patches for this problem were previously published in December 2021, and they also released another group of fixes in January 2022 for all earlier versions of Windows products.
Aside from that, this issue may be resolved by simply deactivating the Enable advanced scanning through AMSI option in the settings, and ESET has advised customers to apply this workaround only if they are unable to install the available updates.
Comentários