Slovak internet security firm ESET released security fixes to address a high severity local privilege escalation vulnerability affecting multiple products on systems running Windows 10 and later or Windows Server 2016 and above. The flaw (CVE-2021-37852) was reported by Michael DePlante of Trend Micro’s Zero Day Initiative, and it enables attackers to escalate privileges to NT AUTHORITYSYSTEM account rights (the highest level of privileges on a Windows system) using the Windows Antimalware Scan Interface (AMSI). AMSI was first introduced with Windows 10 Technical Preview in 2015, and it allows apps and services to request memory buffer scans from any major antivirus product installed on the system. According to ESET, this can only be achieved after attackers gain SeImpersonatePrivilege rights, normally assigned to users in the local Administrators group and the device’s local Service account to impersonate a client after authentication which should “limit the impact of this vulnerability.” However, ZDI’s advisory says attackers are only required to “obtain the ability to execute low-privileged code on the target system,” which matches ESET’s CVSS severity rating, also showing that the bug can be exploited by threat actors with low privileges. While ESET said it only found out about this bug on November 18, a disclosure timeline available in ZDI’s advisory reveals that the vulnerability was reported four months earlier, on June 18, 2021.
The list of ESET products impacted by this vulnerability is quite long. All users of ESET software should upgrade as soon as possible. The antivirus maker released multiple security updates between December 8 and January 31 to address this vulnerability. Luckily, ESET found no evidence of exploits designed to target products affected by this security bug in the wild. “The attack surface can also be eliminated by disabling the Enable advanced scanning via AMSI option in ESET products’ Advanced setup,” ESET added. “However, ESET strongly recommends performing an upgrade to a fixed product version and only applying this workaround when the upgrade is not possible for an important reason.”