VTA-00405 – ESET Antivirus Bug Allows Attackers Gain Windows SYSTEM Privileges
Recently, ESET has released security fixes to address a high severity local privilege escalation vulnerability affecting multiple products on systems running Windows 10 and later or Windows Server 2016 and above. The flaw is tracked as CVE-2021-37852 and it enables attackers to escalate privileges to NT AUTHORITY\SYSTEM account rights (the highest level of privileges on a Windows system) using the Windows Antimalware Scan Interface (AMSI) as it allows apps and services to request memory buffer scans from any major antivirus product installed on the system. According to ESET, this can only be achieved after attackers gain SeImpersonatePrivilege rights. Normally it is assigned to users in the local Administrators group and the device’s local Service account to impersonate a client after authentication which should limit the impact of this vulnerability. However, attackers are only required to obtain the ability to execute low-privileged code on the target system then the bug can be exploited by threat actors with low privileges.
Afffected Version:
- ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security and ESET Smart Security Premium from version 10.0.337.1 to 15.0.18.0
- ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows from version 6.6.2046.0 to 9.0.2032.4
- ESET Server Security for Microsoft Windows Server 8.0.12003.0 and 8.0.12003.1, ESET File Security for Microsoft Windows Server from version 7.0.12014.0 to 7.3.12006.0
- ESET Server Security for Microsoft Azure from version 7.0.12016.1002 to 7.2.12004.1000
- ESET Security for Microsoft SharePoint Server from version 7.0.15008.0 to 8.0.15004.0
- ESET Mail Security for IBM Domino from version 7.0.14008.0 to 8.0.14004.0
- ESET Mail Security for Microsoft Exchange Server from version 7.0.10019 to 8.0.10016.0
Severity:
High
Attack Surfaces:
Supply Chain (Third-party vendors)
Tactics:
Command and Control, Execution, Privilege Escalation
Techniques:
Abuse Elevation Control Mechanism
Active Defense Tactics:
Detect, Disrupt
Active Defense Techniques:
Baseline, Security Controls, Software Manipulation
SuperPRO’s Threat Countermeasures Procedures:
1. ESET prepares the following fixed product versions that are not susceptible to the vulnerability and recommends that users upgrade to them as soon as possible ( https://support.eset.com/en/kb3748-upgrade-eset-file-security-for-microsoft-azure-to-the-latest-version-of-eset-server-security-for-microsoft-windows-server )
2. Enable auto-updates to ensure software/program is always up to date.
Are your Endpoints secured? Scan your Endpoints now:
1. Register account on Open Threat Exchange (OTX).
2. Download the OTX Endpoint Security.
3. Subscribe to Provintell-Lab’s OTX pulses.
4. Scan your endpoint for the presence of the IOCs. It’s FREE!
Contributed by: Jyao
Leave a Reply