ESET Fixes Privilege Escalation Flaw in its Engine

ESET has released patches to address a high severity local privilege escalation vulnerability, tracked CVE-2021-37852, impacting its Windows clients. An attacker can exploit the vulnerability to misuse the AMSI scanning feature to elevate privileges in specific scenarios.

According to the researchers the attacker who can get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases. The SeImpersonatePrivilege is by default available to the local Administrators group and the device’s Local Service accounts, which are already highly privileged and thus limit the impact of this vulnerability.

The vulnerability impacted products include multiple versions of ESET NOD32 Antivirus, Internet Security, Smart Security and Smart Security Premium, Endpoint Antivirus and Endpoint Security for Windows, Server Security and File Security for Windows Server, Server Security for Azure, Security for SharePoint Server, and Mail Security for IBM Domino and for Exchange Server. ESET released a series of patches for this issue in December 2021, and in January released fixes for older versions of the company products.

The attack surface can also be eliminated by disabling the Enable advanced scanning via AMSI option in ESET products’ Advanced setup. However, ESET strongly recommends performing an upgrade to a fixed product version and only applying this workaround when the upgrade is not possible for an important reason.

Affected Products

• ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, and ESET Smart Security Premium from version 10.0.337.1 to 15.0.18.0
• ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows from version 6.6.2046.0 to 9.0.2032.4
• ESET Server Security for Microsoft Windows Server 8.0.12003.0 and 8.0.12003.1, ESET File Security for Microsoft Windows Server from version 7.0.12014.0 to 7.3.12006.0
• ESET Server Security for Microsoft Azure from version 7.0.12016.1002 to 7.2.12004.1000
• ESET Security for Microsoft SharePoint Server from version 7.0.15008.0 to 8.0.15004.0
• ESET Mail Security for IBM Domino from version 7.0.14008.0 to 8.0.14004.0
• ESET Mail Security for Microsoft Exchange Server from version 7.0.10019 to 8.0.10016.0

Proposed Solution

• ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security, and ESET Smart Security 15.0.19.0 (released on December 8, 2021)
• ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 9.0.2032.6 and 9.0.2032.7 (released on December 16, 2021)
• ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 8.0.2028.3, 8.0.2028.4, 8.0.2039.3, 8.0.2039.4, 8.0.2044.3, 8.0.2044.4, 8.1.2031.3, 8.1.2031.4, 8.1.2037.9 and 8.1.2037.10 (released on January 25, 2022)
• ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 7.3.2055.0 and 7.3.2055.1 (released on January 31, 2022)
• ESET Server Security for Microsoft Windows Server 8.0.12010.0 (released on December 16, 2021)
• ESET File Security for Microsoft Windows Server 7.3.12008.0 (released on January 12, 2022)
• ESET Security for Microsoft SharePoint Server 8.0.15006.0 (released on December 16, 2021)
• ESET Security for Microsoft SharePoint Server 7.3.15002.0 (released on January 12, 2022)
• ESET Mail Security for IBM Domino 8.0.14006.0 (released on December 16, 2021)
• ESET Mail Security for IBM Domino 7.3.14003.0 (released on January 26, 2021)
• ESET Mail Security for Microsoft Exchange Server 8.0.10018.0 (released on December 16, 2021)
• ESET Mail Security for Microsoft Exchange Server 7.3.10014.0 (released on January 26, 2022)