[CA6370] Local exploit of ESET daemon in ESET NOD32 Antivirus for Linux Desktop, ESET Security for Linux servers and ESET Shared Local Cache

Summary

ESET Customer Advisory 2017-0005
March 15, 2017
Severity: Critical

ESET has implemented fixes that prevent external parties from exploiting the ESET daemon, gaining undesirable access, impersonating the daemon, or preventing the ESET daemon from running, thus disabling protection in ESET NOD32 Antivirus for Linux Desktop, ESET Security for Linux servers and ESET Shared Local Cache.

Customer Advisory

Solution

Desktop products:

  • If you run ESET NOD32 Antivirus for Linux Desktop 4.0.81.0 (or earlier), please download and install the latest version 4.0.82.0 from the ESET website. If you already run the latest version 4.0.82.0, you do not need to take any steps.

Server products:

  • If you run ESET File/Mail/Gateway Security for Linux 4.5.3.0 (or earlier), please download and install the latest version 4.5.6.0 from the ESET website. If you already run version 4.5.5.0 or higher, you do not need to take any steps.
  • If you run ESET Shared Local Cache 1.0.16.0 (or earlier), please download and install the latest version 1.2.5 from the ESET website. If you already run the latest version 1.2.5, you do not need to take any steps.

Affected Programs and Versions

  • ESET NOD32 Antivirus for Linux Desktop 4.0.81.0 and earlier
  • ESET NOD32 Antivirus Business Edition for Linux Desktop 4.0.81.0 and earlier
  • ESET File/Mail/Gateway Security for Linux 4.5.3.0 and earlier
  • ESET Shared Local Cache 1.0.16.0 and earlier

Details

ESET received a report describing a vulnerability in ESET NOD32 Antivirus for Linux Desktop and ESET Security for Linux servers. This vulnerability allowed an attacker to create a program which, if run during system startup, would prevent the ESET daemon from running. Furthermore, it subsequently allowed the attacker to use the program to substitute the ESET daemon and impersonate it. ESET’s scanner did not verify the privileges of the program impersonating the ESET daemon and connected to it, effectively granting the attacker’s program access to where the ESET daemon should have access.

To our best knowledge, there are no existing exploits that take advantage of this vulnerability in the wild.

ESET addressed and fixed these issues in ESET NOD32 Antivirus for Linux Desktop 4.0.82.0, released on April 28, 2016, in ESET File/Mail/Gateway Security for Linux 4.5.5.0, released on June 21, 2016 and in ESET Shared Local Cache 1.2.5, released on March 14, 2017.

Acknowledgement

ESET values the principles of responsible disclosure within the security industry and would like to hereby express thanks to independent security researcher Viktor Dragomiretskyy, who found and reported this issue.

Feedback & Support

If you have feedback or questions about this issue, please contact us using the ESET Security Forum, or via local ESET Support.

Reporting security vulnerabilities to ESET

ESET welcomes reports of security vulnerabilities in its products. See http://www.eset.com/int/security-vulnerability-reporting/

Version log

Version 1.2 (March 15, 2017): Version mismatch fix (EAV for Linux)
Version 1.1 (March 15, 2017): Update of ESET website links
Version 1.0 (March 15, 2017): Initial version of this document