14 DAY TRIAL // Macs users protecting their computers with ESET's antivirus software may be in for a rude awakening as researchers discovered a vulnerability that opens the computer to remote root execution via man-in-the-middle attacks.
Google's Jason Geffner and Jan Bee, members of the company's security team, published an advisory in which they detail how a root-level remote code execution could be performed on a Mac by intercepting the ESET antivirus package's connection to the backend servers. Then, by using a man-in-the-middle approach, the XML library hole could be exploited.
"Vulnerable versions of ESET Endpoint Antivirus 6 are statistically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients," the advisory reads.
The root of the problem
It seems that the esets_daemon uses an older version of POCO's XML parser library which is vulnerable to a bug causing buffer overflow. That's also the same library that handles license activation. So, data that comes back from that server can exploit the XML parser bug, which can gain that arbitrary code execution mentioned by the Google researchers.
Basically, they explain, when the antivirus software tries to activate its license, esets_daemon sends a request, but the service does not validate the web server's certificate, leaving room for the man-in-the-middle which can intercept the request and respond using a self-signed HTTPS certificate.
The attacker is allowed to supply malformed content after the esets_daemon service parses the response as an XML document.
Thankfully, however, there's an update that was issued by ESET. The fixed version is 6.4.168.0. If you haven't updated to this version, you might want to do this to avoid any potential attacks.
"Working together with The Google Security Team, we issued updates on February 13th and 14th that corrected the issues before the vulnerability became public. All users with the latest version of ESET products are not vulnerable to these issue," reads an ESET statement sent to Softpedia.
"To our knowledge, no users have reported any incidents around the discoveries. In standard configurations, ESET solutions update regularly, and you should already be on the latest version. That said, we take any potential issue very seriously, and want to make sure everyone takes any and all necessary steps for maximum protection," the company said.
Updated to include ESET statement.