Mac antivirus software from ESET has RCE vulnerability - patch now!
Mac antivirus software from ESET has RCE vulnerability - patch now!

Following an alert from Google's security team, antivirus maker ESET has released an advisory to its users regarding a remote code execution vulnerability in ESET Endpoint Antivirus 6 for Mac.

On 8 February, Google security duo Jason Geffner and Jan Bee alerted ESET to an issue with esets_daemon, which uses an old version of POCO's XML parser library, and is vulnerable to a well-known buffer overflow bug.

This means that it allows: “for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients,” meaning those without the patch.  

The library handles licence activation, amongst other things, with a request to https://edf.eset.com/edf. The crux of the issue is that any data sent back by the server can be exploited, as the XML parser bug could potentially gain arbitrary code execution as root – the user assumed by ESET's antivirus.

The man-in-the-middle attack is made possible because the daemon doesn't check ESET's licencing server certificate, allowing a malicious machine pretending to be ESET's licencing server to give the client a self-signed HTTPS certificate.

Now the attacker controls the connection, they can send malformed content to the Mac to hijack the XML parser and execute code as root.

"When ESET Endpoint Antivirus tries to activate its licence, esets_daemon sends a request to https://edf.eset.com/edf," the Googlers explain.

"The esets_daemon service does not validate the web server's certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root."

ESET has fixed the issue in version 6.4.168.0 and has advised users to make sure they're patched up to date to avoid any trouble. 

ESET issued an official statement saying that, “All users with the latest version of ESET products are not vulnerable to these issues. To our knowledge, no users have reported any incidents around the discoveries. In standard configurations, ESET solutions update regularly, and you should already be on the latest version.”

The company added: “we take any potential issue very seriously, and want to make sure everyone takes any and all necessary steps for maximum protection.”