On August 27, 2019, ESET received a report stating that on a machine with the affected ESET product installed, it was possible for an attacker to misuse the communication channel between the ESET GUI and the ESET daemon to send a command to alter the configuration. This was possible due to a flaw in the process used to verify the user sending the command.
Among other modifications of the configuration, this also allowed the attacker to add a maliciously crafted task to the Scheduler that would then be run on the system with root permissions.
ESET remedied this by properly implementing the verification process and has prepared new builds of its products that are no longer susceptible to this vulnerability.
To our best knowledge, there are no existing exploits that take advantage of this vulnerability in the wild.
ESET prepared fixed builds of its consumer and business products for macOS in a much shorter window of time than the 90 days defined in the responsible disclosure principle. We recommend that users download these builds from the Download section of www.eset.com and install them.
This issue is resolved in the following builds:
- ESET Cyber Security and ESET Cyber Security Pro 188.8.131.52 and later (released on September 24, 2019)
- ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 184.108.40.206 and later (released on September 24, 2019)
Affected programs and versions
- ESET Cyber Security and ESET Cyber Security Pro 6.7.900.0 and earlier
- ESET Endpoint Antivirus for macOS and ESET Endpoint Security for macOS 6.7.900.0 and earlier
Feedback & Support
ESET values the principles of responsible disclosure within the security industry, and would like to express our thanks to Cees Elzinga from Langkjaer Cyber Defence A/S who reported this issue.
Version 1.0 (September 24, 2019): Initial version of this document