[CA6650] Local privilege escalation vulnerability in ESET products for macOS fixed

Summary

ESET Customer Advisory 2018-0002
January 18, 2018
Severity: Medium

Summary

ESET was made aware of a potential vulnerability in its consumer and business products for macOS that allows users with administrator rights to let ESET products execute certain files with root permissions. Upon detailed inspection, ESET identified the cause of the issue and prepared fixed products for its users to download and install.

Customer Advisory

Details

On November 17, 2017, ESET received a report stating that on a machine with an affected ESET product installed, it was possible for an attacker with administrator rights to execute a file of their choice with root permissions. This was possible because the main ESET daemon previously used symbolic links to refer to its processes located at /Applications/.esets/, which were run with root permissions.

If an attacker was logged on as a user that was a member of the “admin” group, their permissions allowed them to edit the targets of these symbolic links and thus have the daemon run a different file with root permissions.

ESET remedied this by stopping use of these symbolic links, and has prepared builds of its products that are no longer susceptible to this vulnerability.

To our best knowledge, there are no existing exploits that take advantage of this vulnerability in the wild.

Solution

ESET prepared fixed builds of its consumer and business products for macOS in a much shorter time window than the 90 days defined in the responsible disclosure principle. We recommend that users download these builds from the Download section of www.eset.com and install them.

This issue is resolved in the following builds:

  • ESET Cyber Security and ESET Cyber Security Pro 6.5.600.1 and later (released on December 21, 2017)
  • ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.5.600.1 and later (released on December 21, 2017)
  • ESET NOD32 Antivirus for Mac OS Business Edition 4.1.106.1 (released on January 11, 2018)

Affected programs and versions

  • ESET Cyber Security and ESET Cyber Security Pro 6.5.532.1 and earlier
  • ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.5.532.1 and earlier
  • ESET NOD32 Antivirus for Mac OS Business Edition 4.1.104.0 and earlier

Feedback & Support

If you have feedback or questions about this issue, please contact us using the ESET Security Forum, or via local ESET Technical Support.

Acknowledgement

ESET values the principles of responsible disclosure within the security industry, and would like to express our thanks to Shuyang Wang from Google Security Team who reported this issue.

Version log

Version 1.0 (January 18, 2018): Initial version of this document