[CA6333] Remote execution and privilege escalation vulnerabilities in ESET products for macOS fixed

Summary

ESET Customer Advisory 2017-0003
February 14, 2017
Severity: Critical

ESET was made aware of potential vulnerabilities in its consumer and business products for macOS. Upon detailed inspection, ESET identified the causes of the issues and prepared fixed products for its users to download and install.

Customer Advisory

Affected programs and versions

  • XML parsing issue and SSL verification issue
    • ESET Cyber Security and ESET Cyber Security Pro 6.1.x – 6.3.70.1
    • ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.0.x – 6.3.85.1
       
  • Installation script issue
    • ESET Cyber Security and ESET Cyber Security Pro 6.0.x – 6.3.70.1
    • ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.0.x – 6.3.85.1
    • ESET NOD32 Antivirus Business Edition for macOS 4.x
       
  • Proxy listening issue
    • ESET Cyber Security and ESET Cyber Security Pro 6.0.x – 6.3.70.1
    • ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.0.x – 6.3.85.1

Solution

ESET has prepared fixed builds of consumer and business products for macOS and recommends that users download them from the download section of www.eset.com and install them as soon as possible.

The following builds contain the fixes:

Details

The following issues were reported to ESET, analyzed and fixed:

  • By using an outdated build of 3rd party XML parsing library in ESET products for macOS, it was possible for an attacker to create a specifically-designed XML file, which, when loaded by ESET’s daemon, would execute its malicious code with root privileges. ESET fixed this issue by using a patched build of the XML parsing library.
     
  • Installation wizard of ESET products for macOS executes a script located at /tmp/esets_setup.sh and loads configuration from /tmp. If an unprivileged user created such files beforehand, a subsequent installation run by a privileged user would load and execute these files. ESET fixed this issue by not using a script file anymore, but rather creating a data file with installation settings that are read and interpreted by esets_daemon during its first load.
     
  • ESET products for macOS did not verify SSL certificates when communicating with ESET servers. This way, an attacker could perform a man-in-the-middle attack and fake the data received by the product. ESET fixed this issue by implementing SSL certificate verification when communicating with ESET servers.
     
  • Even with proxy features disabled in the setup of ESET products for macOS, esets_proxy daemon continued to listen on 0.0.0.0:57856, exposing it to non-local connection attempts. ESET fixed this issue by having the daemon listen on 127.0.0.1 instead of 0.0.0.0 and closing all ports when proxy features have been disabled.

To our best knowledge, there are no existing exploits that take advantage of these vulnerabilities in the wild.
 

Feedback & Support

If you have feedback or questions about this issue, please contact us using the ESET Security Forum, or via local ESET Support.
 

Acknowledgement

ESET values the principles of responsible disclosure within the security industry and would like to hereby express thanks to Jan Bee and Jason Geffner of The Google Security Team who reported these issues.
 

Version log

Version 1.0 (February 14, 2017): Initial version of this document