Researchers have discovered a bug in ESET Endpoint Antivirus software which can be exploited to perform remote execution attacks through the root of Apple Mac systems.
This week, a security advisory published by Google Security Team’s Jason Geffner and Jan Bee revealed that ESET Endpoint Antivirus software 6 contained a critical security flaw, CVE-2016-9892, which permits attackers to attack Mac systems running the vulnerable software.
If exploited, the bug allows cyberattackers to execute code as root, of which the possibilities for damage are endless.
The problem lies within an outdated XML parsing library utilized by the software which does not perform proper server authentication checks. The esets_daemon service, which runs as root, is linked to a legacy version of the POCO XML parser library.
The library version is based on Expat 2.0.1, released in 2007, which contains a public XML parsing vulnerability — CVE-2016-0718 — that allows the execution of malicious code through malformed XML content.
When ESET Endpoint Antivirus attempts to activate its license on a PC, esets_daemon sends a request which is not validated by the web server’s certificate, which means attackers can launch a man-in-the-middle (MiTM) attack to intercept the request.
Should this prove to be successful, they can issue a self-signed HTTPS certificate, then parsed as an XML document by the service. This, in turn, gives attackers the opportunity to push through malformed content and exploit the security flaw.
Geffner and Bee provided proof of concept (PoC) instructions in the security advisory.
After the Google Security Team’s discovery in November last year, Geffner and Bee reported the problem to ESET. The security firm provided Google with a patched build to check in February this year and after confirmation that the software was no longer vulnerable released a patched version to the public, 126.96.36.199, on 21 February.
Users of ESET Endpoint Antivirus software 6 should immediately make sure their software is up-to-date to protect themselves against the exploit.
Source: SANS ISC SecNewsFeed @ March 1, 2017 at 05:00AM