Webshaun 0 Posted August 12, 2023 Posted August 12, 2023 I just got an alert from Microsoft's security platform that there's a security issue with ESET Endpoint. "Fix unquoted service path for Windows services" on path C:\Program Files\ESET\ESET Security\efwd.exe. In the registry in paths Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\efwd Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\efwd Name: ImagePath Value: C:\Program Files\ESET\ESET Security\efwd.exe This should have quotes. Value should be "C:\Program Files\ESET\ESET Security\efwd.exe" You can manually add quotes to protect yourself immediately.
Administrators Marcos 5,736 Posted August 12, 2023 Administrators Posted August 12, 2023 Please post a screenshot of the alert for clarification. I'll report your finding to developers, however, it's not a security issue since the said service does nothing. What matters is that it's registered in the registry.
Webshaun 0 Posted August 12, 2023 Author Posted August 12, 2023 Attached. According to Microsoft the potential risk is "An attacker can exploit this misconfiguration in order to perform path interception to gain escalation of privileges and persistency on the machine."
PuterCare 4 Posted November 1, 2023 Posted November 1, 2023 I have just had some systems with Eset installed fail a Cyber Essentials Plus audit for this, was there any update? I can fix myself but ideally the software would have a quoted path in the first place so there is no need for manual remediation. Thanks
Administrators Marcos 5,736 Posted November 1, 2023 Administrators Posted November 1, 2023 It will be fixed in Endpoint v11.
PuterCare 4 Posted November 1, 2023 Posted November 1, 2023 17 minutes ago, Marcos said: It will be fixed in Endpoint v11. Thanks, is there an ETA for release? I imagine I will need to fix these manually as I have a lot of CE+ audits by year end.
PuterCare 4 Posted November 1, 2023 Posted November 1, 2023 (edited) Interestingly enough, I just did a clean install of EES 10.1.2058 onto a VM using the standalone downloader on the eset site so I could edit the regkey and export for deployment, and the service is already in quotes - "C:\Program Files\ESET\ESET Security\efwd.exe" I will check what version my endpoints are using and see if this version has fixed it. I had deployed EES to two of these systems this week from ESET Protect using the agent. EDIT: The endpoints are on 10.1.2050, I am pushing an update now. Edited November 1, 2023 by PuterCare
PuterCare 4 Posted November 1, 2023 Posted November 1, 2023 I can confirm that pushing the update to 10.2.2058 from ESET Protect has fixed the issue, I see that EIS is also affected on v16.2.15 at least.
itman 1,924 Posted November 1, 2023 Posted November 1, 2023 2 hours ago, PuterCare said: I see that EIS is also affected on v16.2.15 at least. Confirmed on ESSP 15.2.15; If Eset is no longer using the service, it should remove all references to it from Windows.
itman 1,924 Posted November 1, 2023 Posted November 1, 2023 Details on this vulnerability: https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths .
Recommended Posts