ESET Customer Advisory 2017-0005
March 15, 2017
ESET has implemented fixes that prevent external parties from exploiting the ESET daemon, gaining undesirable access, impersonating the daemon, or preventing the ESET daemon from running, thus disabling protection in ESET NOD32 Antivirus for Linux Desktop, ESET Security for Linux servers and ESET Shared Local Cache.
ESET received a report describing a vulnerability in ESET NOD32 Antivirus for Linux Desktop and ESET Security for Linux servers. This vulnerability allowed an attacker to create a program which, if run during system startup, would prevent the ESET daemon from running. Furthermore, it subsequently allowed the attacker to use the program to substitute the ESET daemon and impersonate it. ESET’s scanner did not verify the privileges of the program impersonating the ESET daemon and connected to it, effectively granting the attacker’s program access to where the ESET daemon should have access.
To our best knowledge, there are no existing exploits that take advantage of this vulnerability in the wild.
ESET addressed and fixed these issues in ESET NOD32 Antivirus for Linux Desktop 22.214.171.124, released on April 28, 2016, in ESET File/Mail/Gateway Security for Linux 126.96.36.199, released on June 21, 2016 and in ESET Shared Local Cache 1.2.5, released on March 14, 2017.
ESET values the principles of responsible disclosure within the security industry and would like to hereby express thanks to independent security researcher Viktor Dragomiretskyy, who found and reported this issue.
ESET welcomes reports of security vulnerabilities in its products. See http://www.eset.com/int/security-vulnerability-reporting/
Version 1.2 (March 15, 2017): Version mismatch fix (EAV for Linux)
Version 1.1 (March 15, 2017): Update of ESET website links
Version 1.0 (March 15, 2017): Initial version of this document