Vulnerabilities > CVE-2016-9892 - Improper Certificate Validation vulnerability in Eset Endpoint Antivirus and Endpoint Security
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Packetstorm
| data source | https://packetstormsecurity.com/files/download/141350/esetendpointav6-exec.txt |
| id | PACKETSTORM:141350 |
| last seen | 2017-02-28 |
| published | 2017-02-27 |
| reporter | Jason Geffner |
| source | https://packetstormsecurity.com/files/141350/ESET-Endpoint-Antivirus-6-Remote-Code-Execution.html |
| title | ESET Endpoint Antivirus 6 Remote Code Execution |
Seebug
| bulletinFamily | exploit |
| description | Introduction ============ Per ESET's online material, "ESET Endpoint Antivirus for OS X delivers award- winning cross-platform protection for multi-platform environments. It protects against malware and spyware and shields end users from fake websites phishing for sensitive information such as usernames, passwords or credit card details. Unauthorized devices can be blocked from the system entirely. The solution's highly intuitive interface allows for quick navigation." Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients. Vulnerability ============= The esets_daemon service, which runs as root, is statically linked with an outdated version of the POCO XML parser library (https://pocoproject.org/) -- version 1.4.6p1 from 2013-03-06. This version of POCO is based on Expat (http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a publicly known XML parsing vulnerability (CVE-2016-0718) that allows for arbitrary code execution via malformed XML content. When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf. The esets_daemon service does not validate the web server's certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root. |
| id | SSV:92725 |
| last seen | 2017-11-19 |
| modified | 2017-02-28 |
| published | 2017-02-28 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-92725 |
| title | Remote Code Execution as Root via ESET Endpoint Antivirus 6(CVE-2016-9892) |
The Hacker News
| id | THN:F95BED040A4B56A9B0A6D552DB79AEE2 |
| last seen | 2018-01-27 |
| modified | 2017-02-28 |
| published | 2017-02-28 |
| reporter | Swati Khandelwal |
| source | https://thehackernews.com/2017/02/eset-antivirus-mac.html |
| title | Critical Flaw in ESET Antivirus Exposes Mac Users to Remote Hacking |