CVE-2021-37851
📋 TL;DR
CVE-2021-37851 is a local privilege escalation vulnerability in ESET Windows security products that allows authenticated local users to exploit the repair feature of the installer to execute arbitrary code with SYSTEM privileges. This affects multiple ESET antivirus, endpoint security, and server security products. Users with local access to affected systems can elevate their privileges to the highest level.
💻 Affected Systems
- ESET NOD32 Antivirus
- ESET Internet Security
- ESET Smart Security Premium
- ESET Endpoint Antivirus
- ESET Endpoint Security
- ESET Server Security for Microsoft Windows Server
- ESET File Security for Microsoft Windows Server
- ESET Mail Security for Microsoft Exchange Server
- ESET Mail Security for IBM Domino
- ESET Security for Microsoft SharePoint Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement capabilities.
Likely Case
Malicious insider or compromised user account escalates privileges to install malware, disable security controls, or access sensitive system resources.
If Mitigated
With proper patch management and least privilege principles, impact is limited to isolated incidents with quick detection and remediation.
🎯 Exploit Status
Exploitation requires local authenticated access. The vulnerability is in the repair functionality that runs with elevated privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ESET NOD32 Antivirus/Internet Security/Smart Security Premium: 15.1.12.0 or later; ESET Endpoint Antivirus/Security: 9.0.2046.0, 8.1.2050.0, or 8.0.2053.0 or later; ESET Server Security: 9.0.12012.0 or later; ESET File Security: version after 8.0.12013.0; ESET Mail Security for Exchange: 8.0.10020.0 or later; ESET Mail Security for Domino: 8.0.14011.0 or later; ESET Security for SharePoint: 8.0.15009.0 or later
Vendor Advisory: https://support.eset.com/en/ca8268
Restart Required: Yes
Instructions:
1. Open ESET product interface. 2. Navigate to Update section. 3. Click 'Check for updates'. 4. Install all available updates. 5. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict local user access
windowsLimit local user accounts to only trusted personnel and implement least privilege principles.
Disable installer repair feature
windowsPrevent users from accessing the repair functionality through group policy or permissions.
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts.
- Deploy application control policies to prevent unauthorized code execution.
🔍 How to Verify
Check if Vulnerable:
Check ESET product version in the application interface or via 'eset_util /version' command.Check Version:
eset_util /versionVerify Fix Applied:
Verify version is updated to patched versions listed in vendor advisory and test repair functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution with SYSTEM privileges
- ESET installer repair process anomalies
- Failed privilege escalation attempts
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%eset%' AND SubjectUserName!=SYSTEM AND TokenElevationType=%%1937