Windows: ESET virus scanners have a LPE vulnerability

Sicherheit (Pexels, allgemeine Nutzung)[German]Slovakian antivirus vendor ESET has issued a warning for users of its Windows products. Certain antivirus products have a Local Privilege Escalation (LPE) vulnerability CVE-2021-37852 in older versions. This allows a local attacker to gain SYSTEM privileges from a default account. However, ESET now provides security updates to close the vulnerability.


Advertising

In the security advisory [CA8223] Local privilege escalation vulnerability fixed in ESET products for Windows  dated January 31, 2022, the vendor ESET clarifies the details.

CVE-2021-37852:  Local privilege escalation vulnerability

ESET was notified of a potential local privilege escalation vulnerability by the Zero Day Initiative (ZDI) on November 18, 2021. The vulnerability allows an attacker to abuse the AMSI scanning function in certain cases.

According to the Zero Day Initiative (ZDI) report, an attacker who succeeds in gaining SeImpersonatePrivilege on Windows can abuse the AMSI scanning function to gain NT AUTHORITY\SYSTEM privileges in some cases. The SeImpersonatePrivilege is available by default to the device's local administrators group and local service accounts, which are already highly privileged, limiting the impact of this vulnerability.

ZDI writes here that an attacker must first gain the ability to execute low-privileged code on the target system to exploit this vulnerability. Then, this vulnerability can allow local attackers to escalte their privileges.

The specific vulnerability is the use of named pipes. The problem results from the fact that an untrusted process can impersonate the client of a pipe. An attacker can exploit this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM..


Advertising

ESET analyzed and then verified this report. The list of affected products can be found in the ESET alert. New builds of the affected products have been created that are not vulnerable to this vulnerability. The attack surface can also be removed by disabling the Enable advanced scanning via AMSI option in the advanced settings of ESET products. ESET has reserved CVE-2021-37852 for this vulnerability.

Updates are available

ESET has released the following fixed product versions that are not vulnerable to the vulnerability. The vendor recommends that users update to these versions as soon as possible:

  • ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security and ESET Smart Security 15.0.19.0 (released on December 8, 2021)
  • ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 9.0.2032.6 and 9.0.2032.7 (released on December 16, 2021)
  • ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 8.0.2028.3, 8.0.2028.4, 8.0.2039.3, 8.0.2039.4, 8.0.2044.3, 8.0.2044.4, 8.1.2031.3, 8.1.2031.4, 8.1.2037.9 and 8.1.2037.10 (released on January 25, 2022)
  • ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 7.3.2055.0 and 7.3.2055.1 (released on January 31, 2022)
  • ESET Server Security for Microsoft Windows Server 8.0.12010.0 (released on December 16, 2021)
  • ESET File Security for Microsoft Windows Server 7.3.12008.0 (released on January 12, 2022)
  • ESET Security for Microsoft SharePoint Server 8.0.15006.0 (released on December 16, 2021)
  • ESET Security for Microsoft SharePoint Server 7.3.15002.0 (released on January 12, 2022)
  • ESET Mail Security for IBM Domino 8.0.14006.0 (released on December 16, 2021)
  • ESET Mail Security for IBM Domino 7.3.14003.0 (released on January 26, 2021)
  • ESET Mail Security for Microsoft Exchange Server 8.0.10018.0 (released on December 16, 2021)
  • ESET Mail Security for Microsoft Exchange Server 7.3.10014.0 (released on January 26, 2022)

ESET Server Security for Microsoft Azure users are recommended to upgrade ESET File Security for Microsoft Azure to the latest version of ESET Server Security for Microsoft Windows Server.


Advertising

This entry was posted in Security, Software, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).