ESET, a Slovak internet security business, has published security updates to address a high-severity local privilege escalation vulnerability that affects various products on Windows 10 and later, as well as Windows Server 2016 and later. Michael DePlante of Trend Micro’s Zero Day Initiative discovered the weakness (CVE-2021-37852), which allows attackers to elevate access to NT AUTHORITY\SYSTEM account permissions (the highest level of privileges on a Windows system) by employing the Windows Antimalware Scan Interface (AMSI).
AMSI was initially introduced in 2015 with the Windows 10 Technical Preview release. It allows programs and services to request memory buffer scans from any significant antivirus program installed on the system. According to ESET, attackers may only impersonate a client after gaining SeImpersonatePrivilege permissions, which are typically issued to users in the local Administrators group and the device’s local Service account, which must “limit the impact of this vulnerability.”
Attackers just need to “obtain the ability to execute low-privileged code on the target system,” according to ZDI’s warning, which matches ESET’s CVSS severity rating, indicating that threat actors with low privileges may exploit the defect. While ESET claims to have first learned of the flaw on November 18, the vulnerability was disclosed four months earlier, on June 18, 2021, according to a disclosure chronology included in ZDI’s alert.
This vulnerability affects a large number of products, including the following:
-
ESET NOD32 Antivirus, ESET Smart Security, ESET Internet Security, and ESET Smart Security Premium from v10.0.337.1 – v15.0.18.0
-
ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows from v6.6.2046.0 – v9.0.2032.4
-
ESET Server Security for Windows Server v8.0.12003.0 and v8.0.12003.1, ESET File Security for Windows Server from v7.0.12014.0 – v7.3.12006.0
-
ESET Server Security for Microsoft Azure from v7.0.12016.1002 – v7.2.12004.1000
-
ESET Security for Microsoft SharePoint Server from v7.0.15008.0 – v8.0.15004.0
-
ESET Mail Security for IBM Domino from v7.0.14008.0 – v8.0.14004.0
-
ESET Mail Security for Microsoft Exchange Server from v7.0.10019 – v8.0.10016.0
To resolve the vulnerability, users of ESET Server Security for Microsoft Azure are advised to upgrade ESET File Security for Microsoft Azure to the newest version of ESET Server Security for Microsoft Windows Server. Between December 8 and January 31, when it fixed the final susceptible product exposed to assaults, the antivirus maker published numerous security updates to address this vulnerability. Fortunately, ESET discovered no evidence of attacks in the wild aimed at products impacted by this security flaw.