karsayor 8 Posted December 22, 2021 Share Posted December 22, 2021 I saw on the changelog of ESET Server Security 8.0.12010.0 that a security vulnerability was fixed, but I cannot find any info about it (how critical, etc..) Can we have info about this CVE-2021-37852 ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 22, 2021 Administrators Share Posted December 22, 2021 2 minutes ago, karsayor said: Can we have info about this CVE-2021-37852 ? Details can be disclosed only after disclosing the CVE to the public next year. Link to comment Share on other sites More sharing options...
plex 2 Posted January 31, 2022 Share Posted January 31, 2022 For anyone following or finding this post, more information is available here: https://support.eset.com/en/ca8223-local-privilege-escalation-vulnerability-fixed-in-eset-products-for-windows Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 1, 2022 Share Posted February 1, 2022 On 12/22/2021 at 5:54 AM, karsayor said: Can we have info about this CVE-2021-37852 ? FYI: https://support.eset.com/en/ca8223-local-privilege-escalation-vulnerability-fixed-in-eset-products-for-windows?ref=esf Link to comment Share on other sites More sharing options...
karsayor 8 Posted February 1, 2022 Author Share Posted February 1, 2022 16 hours ago, itman said: FYI: https://support.eset.com/en/ca8223-local-privilege-escalation-vulnerability-fixed-in-eset-products-for-windows?ref=esf Thank you guys. So it means it's not that bad because it only affects administrators or service accounts by default. If someone already has admin access to a computer, elevating to SYSTEM isn't anymore useful, right ? Of course it's best to patch asap Link to comment Share on other sites More sharing options...
FrenchItDirector 1 Posted February 3, 2022 Share Posted February 3, 2022 Looks like this method : is the quickest way to mitigate the threat. Of course updating endpoints is necessary. Quick question : why did I find this information on twitter and was never warned by Eset ? Looks like a pretty serious vulnerability, worth being advertised to Eset customers. Link to comment Share on other sites More sharing options...
kingoftheworld 10 Posted February 3, 2022 Share Posted February 3, 2022 2 hours ago, FrenchItDirector said: Looks like this method : is the quickest way to mitigate the threat. Of course updating endpoints is necessary. Quick question : why did I find this information on twitter and was never warned by Eset ? Looks like a pretty serious vulnerability, worth being advertised to Eset customers. They emailed customers about it. You should probably verify you are on the mailing list for product updates. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 3, 2022 Share Posted February 3, 2022 3 hours ago, FrenchItDirector said: Looks like this method : is the quickest way to mitigate the threat. Of course updating endpoints is necessary. Whereas this will mitigate the Eset AMSI vulnerability, it is far from an ideal work around. Eset uses AMSI to scan for malicious scripts. With AMSI disabled, that necessary security protection is no longer available. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted February 3, 2022 Administrators Share Posted February 3, 2022 5 minutes ago, itman said: Whereas this will mitigate the Eset AMSI vulnerability, it is far from an ideal work around. Eset uses AMSI to scan for malicious scripts. With AMSI disabled, that necessary security protection is no longer available. We released updated versions with a fix last year so users didn't have to disable the AMSI scanner to mitigate the issue. Only older versions of security products (v7/v8.x) received a hotfix this year so in case an admin had to mitigate the issue immediately, the above suggestion would work. Link to comment Share on other sites More sharing options...
karsayor 8 Posted February 3, 2022 Author Share Posted February 3, 2022 On 2/1/2022 at 5:24 PM, karsayor said: Thank you guys. So it means it's not that bad because it only affects administrators or service accounts by default. If someone already has admin access to a computer, elevating to SYSTEM isn't anymore useful, right ? Of course it's best to patch asap Can someone explain whats needed to exploit the issue ? Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted February 4, 2022 ESET Moderators Share Posted February 4, 2022 22 hours ago, karsayor said: Can someone explain whats needed to exploit the issue ? from https://support.eset.com/en/ca8223-local-privilege-escalation-vulnerability-fixed-in-eset-products-for-windows "an attacker who is able to get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases. The SeImpersonatePrivilege is by default available to the local Administrators group and the device's Local Service accounts, which are already highly privileged and thus limit the impact of this vulnerability." from https://www.zerodayinitiative.com/advisories/ZDI-22-148/ "This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the use of named pipes. The issue results from allowing an untrusted process to impersonate the client of a pipe. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM." Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 4, 2022 Share Posted February 4, 2022 43 minutes ago, Peter Randziak said: "an attacker who is able to get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases. The SeImpersonatePrivilege is by default available to the local Administrators group and the device's Local Service accounts, which are already highly privileged and thus limit the impact of this vulnerability." Of note here is Google ZDI states that low privileged code can be also be exploited: Quote However, ZDI's advisory says attackers are only required to "obtain the ability to execute low-privileged code on the target system," which matches ESET's CVSS severity rating also showing that the bug can be exploited by threat actors with low privileges. https://www.bleepingcomputer.com/news/microsoft/eset-antivirus-bug-let-attackers-gain-windows-system-privileges/ Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted February 7, 2022 ESET Moderators Share Posted February 7, 2022 On 2/3/2022 at 12:29 PM, FrenchItDirector said: Quick question : why did I find this information on twitter and was never warned by Eset ? Looks like a pretty serious vulnerability, worth being advertised to Eset customers. On 2/3/2022 at 2:55 PM, kingoftheworld said: They emailed customers about it. You should probably verify you are on the mailing list for product updates. Such content is covered by advisories, you may subscribe to them at https://support-feed.eset.com/advisories to be notified Peter Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted February 7, 2022 ESET Moderators Share Posted February 7, 2022 On 2/3/2022 at 3:55 PM, karsayor said: Can someone explain whats needed to exploit the issue ? Too keep it as short and easy as possible, my understanding is that the attacker would need to be able to run a code under a user with SeImpersonatePrivilege on Windows 10+ based system, with ESET security version product listed in the advisory as affected, with Enable advanced scanning via AMSI option enabled. On 2/4/2022 at 3:21 PM, itman said: Of note here is Google ZDI states that low privileged code can be also be exploited: Quote However, ZDI's advisory says attackers are only required to "obtain the ability to execute low-privileged code on the target system," which matches ESET's CVSS severity rating also showing that the bug can be exploited by threat actors with low privileges. https://www.bleepingcomputer.com/news/microsoft/eset-antivirus-bug-let-attackers-gain-windows-system-privileges/ My understanding is that, the code would need to run under a user with "SeImpersonatePrivilege", standard users does not have it by default... Peter Link to comment Share on other sites More sharing options...
karsayor 8 Posted February 9, 2022 Author Share Posted February 9, 2022 On 2/7/2022 at 2:28 PM, Peter Randziak said: Too keep it as short and easy as possible, my understanding is that the attacker would need to be able to run a code under a user with SeImpersonatePrivilege on Windows 10+ based system, with ESET security version product listed in the advisory as affected, with Enable advanced scanning via AMSI option enabled. My understanding is that, the code would need to run under a user with "SeImpersonatePrivilege", standard users does not have it by default... Peter Thank you Peter. Peter Randziak 1 Link to comment Share on other sites More sharing options...
FrenchItDirector 1 Posted February 10, 2022 Share Posted February 10, 2022 Ok, thank you for your answers. Peter Randziak 1 Link to comment Share on other sites More sharing options...
Recommended Posts