Jump to content

CVE-2021-37852


Recommended Posts

I saw on the changelog of ESET Server Security 8.0.12010.0 that a security vulnerability was fixed, but I cannot find any info about it (how critical, etc..)

Can we have info about this CVE-2021-37852 ? 

 

 

Link to comment
Share on other sites

  • Administrators
2 minutes ago, karsayor said:

Can we have info about this CVE-2021-37852 ?

Details can be disclosed only after disclosing the CVE to the public next year.

Link to comment
Share on other sites

  • 1 month later...
16 hours ago, itman said:

Thank you guys. So it means it's not that bad because it only affects administrators or service accounts by default. If someone already has admin access to a computer, elevating to SYSTEM isn't anymore useful, right ?

Of course it's best to patch asap

Link to comment
Share on other sites

Looks like this method :

image.thumb.png.d4a7108c33c7f27462c036795ecd4a50.png

is the quickest way to mitigate the threat. Of course updating endpoints is necessary.

Quick question : why did I find this information on twitter and was never warned by Eset ? Looks like a pretty serious vulnerability, worth being advertised to Eset customers.

Link to comment
Share on other sites

2 hours ago, FrenchItDirector said:

Looks like this method :

image.thumb.png.d4a7108c33c7f27462c036795ecd4a50.png

is the quickest way to mitigate the threat. Of course updating endpoints is necessary.

Quick question : why did I find this information on twitter and was never warned by Eset ? Looks like a pretty serious vulnerability, worth being advertised to Eset customers.

They emailed customers about it. You should probably verify you are on the mailing list for product updates.  

Link to comment
Share on other sites

3 hours ago, FrenchItDirector said:

Looks like this method :

image.thumb.png.d4a7108c33c7f27462c036795ecd4a50.png

is the quickest way to mitigate the threat. Of course updating endpoints is necessary.

Whereas this will mitigate the Eset AMSI vulnerability, it is far from an ideal work around. Eset uses AMSI to scan for malicious scripts. With AMSI disabled, that necessary security protection is no longer available.

Link to comment
Share on other sites

  • Administrators
5 minutes ago, itman said:

Whereas this will mitigate the Eset AMSI vulnerability, it is far from an ideal work around. Eset uses AMSI to scan for malicious scripts. With AMSI disabled, that necessary security protection is no longer available.

We released updated versions with a fix last year so users didn't have to disable the AMSI scanner to mitigate the issue. Only older versions of security products (v7/v8.x) received a hotfix this year so in case an admin had to mitigate the issue immediately, the above suggestion would work.

Link to comment
Share on other sites

On 2/1/2022 at 5:24 PM, karsayor said:

Thank you guys. So it means it's not that bad because it only affects administrators or service accounts by default. If someone already has admin access to a computer, elevating to SYSTEM isn't anymore useful, right ?

Of course it's best to patch asap

Can someone explain whats needed to exploit the issue ?

Link to comment
Share on other sites

  • ESET Moderators
22 hours ago, karsayor said:

Can someone explain whats needed to exploit the issue ?

from https://support.eset.com/en/ca8223-local-privilege-escalation-vulnerability-fixed-in-eset-products-for-windows

"an attacker who is able to get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases. The SeImpersonatePrivilege is by default available to the local Administrators group and the device's Local Service accounts, which are already highly privileged and thus limit the impact of this vulnerability."

 

from https://www.zerodayinitiative.com/advisories/ZDI-22-148/

"This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the use of named pipes. The issue results from allowing an untrusted process to impersonate the client of a pipe. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM."

Link to comment
Share on other sites

43 minutes ago, Peter Randziak said:

"an attacker who is able to get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases. The SeImpersonatePrivilege is by default available to the local Administrators group and the device's Local Service accounts, which are already highly privileged and thus limit the impact of this vulnerability."

Of note here is Google ZDI states that low privileged code can be also be exploited:

Quote

However, ZDI's advisory says attackers are only required to "obtain the ability to execute low-privileged code on the target system," which matches ESET's CVSS severity rating also showing that the bug can be exploited by threat actors with low privileges.

https://www.bleepingcomputer.com/news/microsoft/eset-antivirus-bug-let-attackers-gain-windows-system-privileges/

Link to comment
Share on other sites

  • ESET Moderators
On 2/3/2022 at 12:29 PM, FrenchItDirector said:

Quick question : why did I find this information on twitter and was never warned by Eset ? Looks like a pretty serious vulnerability, worth being advertised to Eset customers.

 

On 2/3/2022 at 2:55 PM, kingoftheworld said:

They emailed customers about it. You should probably verify you are on the mailing list for product updates.  

 

Such content is covered by advisories, you may subscribe to them at https://support-feed.eset.com/advisories to be notified

Peter

Link to comment
Share on other sites

  • ESET Moderators
On 2/3/2022 at 3:55 PM, karsayor said:

Can someone explain whats needed to exploit the issue ?

Too keep it as short and easy as possible, my understanding is that the attacker would need to be able to run a code under a user with SeImpersonatePrivilege on Windows 10+ based system, with ESET security version product listed in the advisory as affected, with Enable advanced scanning via AMSI option enabled.

On 2/4/2022 at 3:21 PM, itman said:

Of note here is Google ZDI states that low privileged code can be also be exploited:

Quote

However, ZDI's advisory says attackers are only required to "obtain the ability to execute low-privileged code on the target system," which matches ESET's CVSS severity rating also showing that the bug can be exploited by threat actors with low privileges.

https://www.bleepingcomputer.com/news/microsoft/eset-antivirus-bug-let-attackers-gain-windows-system-privileges/

My understanding is that, the code would need to run under a user with "SeImpersonatePrivilege", standard users does not have it by default...

Peter

Link to comment
Share on other sites

On 2/7/2022 at 2:28 PM, Peter Randziak said:

Too keep it as short and easy as possible, my understanding is that the attacker would need to be able to run a code under a user with SeImpersonatePrivilege on Windows 10+ based system, with ESET security version product listed in the advisory as affected, with Enable advanced scanning via AMSI option enabled.

My understanding is that, the code would need to run under a user with "SeImpersonatePrivilege", standard users does not have it by default...

Peter

Thank you Peter.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...