ESET antivirus bug allows attackers to gain Windows SYSTEM privileges


Image: ESET

Slovakian internet security company ESET has released security patches to address a high-severity local privilege escalation vulnerability affecting multiple products on systems running Windows 10 and later or Windows Server 2016 and later.

The failure (CVE-2021-37852) was reported by Michael DePlante of Trend Micro’s Zero Day Initiative, and it allows attackers to elevate privileges to NT AUTHORITYSYSTEM account rights (the highest level of privileges on a Windows system) at the using the Windows Anti-Malware Scanning Interface (AMSI).

AMSI was first introduced with Windows 10 Technical Preview in 2015and it allows apps and services to request buffer scans from any major antivirus product installed on the system.

According to ESETthis can only be achieved after the attackers have won SeImpersonatePrivilegenormally assigned to users in the local Administrators group and the device’s local service account to impersonate a client after authentication, which should “limit the impact of this vulnerability”.

However, ZDI Reviews says attackers are only required to “obtain the ability to execute low-privilege code on the target system”, which matches ESET CVSS Severity Assessment also showing that the bug can be exploited by threat actors with low privileges.

While ESET said it only discovered this bug on November 18, a disclosure timeline available in ZDI’s advisory reveals that the vulnerability was reported four months earlier, on June 18, 2021.

Affected ESET products

The list of products affected by this vulnerability is quite long and includes:

  • ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security and ESET Smart Security Premium from version 10.0.337.1 to
  • ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows from version 6.6.2046.0 to 9.0.2032.4
  • ESET Server Security for Microsoft Windows Server 8.0.12003.0 and 8.0.12003.1, ESET File Security for Microsoft Windows Server from version 7.0.12014.0 to 7.3.12006.0
  • ESET Server Security for Microsoft Azure from version 7.0.12016.1002 to 7.2.12004.1000
  • ESET Security for Microsoft SharePoint Server from version 7.0.15008.0 to 8.0.15004.0
  • ESET Mail Security for IBM Domino from version 7.0.14008.0 to 8.0.14004.0
  • ESET Mail Security for Microsoft Exchange Server from version 7.0.10019 to 8.0.10016.0

ESET Server Security for Microsoft Azure users are also recommended to immediately update ESET File Security for Microsoft Azure to the latest available version of ESET Server Security for Microsoft Windows Server to fix the flaw.

The antivirus maker released several security updates between December 8 and January 31 to address this vulnerability, when patching the last vulnerable product exposed to attacks.

Fortunately, ESET found no evidence of exploits designed to target products affected by this security bug in the wild.

“The attack surface can also be eliminated by disabling the Enable advanced scanning via AMSI option in the Advanced setup of ESET products,” ESET added.

“However, ESET strongly recommends upgrading to a fixed product version and applying this workaround only when the upgrade is not possible for an important reason.”


Comments are closed.