Local privilege escalation vulnerability in ESET products for macOS fixed

ESET Customer Advisory 2019-0015
September 24, 2019
Severity: High

Summary

ESET was made aware of a potential vulnerability in its consumer and business products for macOS that allows any user logged on to the system to modify the ESET product’s configuration. Upon detailed inspection, ESET identified the cause of the issue and prepared fixed products for its users to download and install.

Details

On August 27, 2019, ESET received a report stating that on a machine with the affected ESET product installed, it was possible for an attacker to misuse the communication channel between the ESET GUI and the ESET daemon to send a command to alter the configuration. This was possible due to a flaw in the process used to verify the user sending the command.

Among other modifications of the configuration, this also allowed the attacker to add a maliciously crafted task to the Scheduler that would then be run on the system with root permissions.

ESET remedied this by properly implementing the verification process and has prepared new builds of its products that are no longer susceptible to this vulnerability.

To our best knowledge, there are no existing exploits that take advantage of this vulnerability in the wild.

Solution

ESET prepared fixed builds of its consumer and business products for macOS in a much shorter window of time than the 90 days defined in the responsible disclosure principle. We recommend that users download these builds from the Download section of www.eset.com and install them.

This issue is resolved in the following builds:

  • ESET Cyber Security and ESET Cyber Security Pro 6.8.1.0 and later (released on September 24, 2019)
  • ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.8.1.0 and later (released on September 24, 2019)

Affected programs and versions

  • ESET Cyber Security and ESET Cyber Security Pro 6.7.900.0 and earlier
  • ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.7.900.0 and earlier

Feedback & Support

If you have feedback or questions about this issue, please contact us using the ESET Security Forum, or via local ESET Support.

Acknowledgment

ESET values the principles of responsible disclosure within the security industry, and would like to express our thanks to Cees Elzinga from Langkjaer Cyber Defence A/S who reported this issue.

Version log

Version 1.0 (September 24, 2019): Initial version of this document

 

Additional resources