ESET fixed a remote code execution vulnerability affecting all but the latest version of its Endpoint Antivirus 6 for macOS, researchers said.
The vulnerability, with the case number of CVE-2016-9892, is present because the esets_daemon service ended up statically linked with an outdated version of the POCO XML parser library, said Jason Geffner and Jan Bee of the Google Security Team, who discovered the flaw.
Protocol Hurts Hardware
Java, Python FTP Injection Hole
New, Improved RAT on Prowl
Reviewing Latest Shamoon Attacks
“This version of POCO is based on Expat (http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a publicly known XML parsing vulnerability (CVE-2016-0718) that allows for arbitrary code execution via malformed XML content,” the researchers said in a blog post.
“When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf. The esets_daemon service does not validate the web server’s certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root.”
ESET already fixed the flaw by upgrading the POCO parsing library to the latest build and by making the software verify the ESET licensing web server’s SSL certificate on all supported OS X/macOS.
Users should upgrade to the latest version as soon as possible.