Local privilege escalation vulnerability in ESET products for macOS fixed
ESET Customer Advisory 2018-0002
January 18, 2018
ESET was made aware of a potential vulnerability in its consumer and business products for macOS that allows users with administrator rights to let ESET products execute certain files with root permissions. Upon detailed inspection, ESET identified the cause of the issue and prepared fixed products for its users to download and install.
On November 17, 2017, ESET received a report stating that on a machine with an affected ESET product installed, it was possible for an attacker with administrator rights to execute a file of their choice with root permissions. This was possible because the main ESET daemon previously used symbolic links to refer to its processes located at /Applications/.esets/, which were run with root permissions.
If an attacker was logged on as a user that was a member of the “admin” group, their permissions allowed them to edit the targets of these symbolic links and thus have the daemon run a different file with root permissions.
ESET remedied this by stopping use of these symbolic links, and has prepared builds of its products that are no longer susceptible to this vulnerability.
To our best knowledge, there are no existing exploits that take advantage of this vulnerability in the wild.
ESET prepared fixed builds of its consumer and business products for macOS in a much shorter time window than the 90 days defined in the responsible disclosure principle. We recommend that users download these builds from the Download section of www.eset.com and install them.
This issue is resolved in the following builds:
- ESET Cyber Security and ESET Cyber Security Pro 6.5.600.1 and later (released on December 21, 2017)
- ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.5.600.1 and later (released on December 21, 2017)
- ESET NOD32 Antivirus for Mac OS Business Edition 220.127.116.11 (released on January 11, 2018)
Affected programs and versions
- ESET Cyber Security and ESET Cyber Security Pro 6.5.532.1 and earlier
- ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.5.532.1 and earlier
- ESET NOD32 Antivirus for Mac OS Business Edition 18.104.22.168 and earlier
Feedback & Support
ESET values the principles of responsible disclosure within the security industry, and would like to express our thanks to Shuyang Wang from Google Security Team who reported this issue.
Version 1.0 (January 18, 2018): Initial version of this document