CVE-2024-0353
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in ESET Windows products where an attacker could misuse file operations to delete files without proper permissions. It affects ESET antivirus/security software users on Windows systems. The vulnerability requires local access to exploit.
💻 Affected Systems
- ESET NOD32 Antivirus
- ESET Internet Security
- ESET Smart Security
- ESET Endpoint Security
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could delete critical system files, potentially causing system instability, data loss, or facilitating further attacks by removing security controls.
Likely Case
Local user could delete files they shouldn't have access to, potentially disrupting applications or removing security logs/evidence.
If Mitigated
With proper access controls and monitoring, impact would be limited to non-critical files accessible to the user context.
🎯 Exploit Status
Exploit requires local access and some technical knowledge. Public exploit code exists on ExploitDB and Packet Storm.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 17.2.7.0 and 18.0.12.0 (check specific product updates)
Vendor Advisory: https://support.eset.com/en/ca8612-eset-customer-advisory-link-following-local-privilege-escalation-vulnerability-in-eset-products-for-windows-fixed
Restart Required: Yes
Instructions:
1. Open ESET product. 2. Navigate to Update section. 3. Click 'Check for updates'. 4. Install all available updates. 5. Restart computer when prompted.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local user access to systems running vulnerable ESET versions
Monitor file deletion events
windowsEnable auditing for file deletion events in Windows Event Log
auditpol /set /subcategory:"File System" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict access controls to limit who has local login rights
- Enable detailed file system auditing and monitor for unauthorized file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check ESET product version in GUI (Help > About) or run 'eset' command in command promptCheck Version:
wmic product where "name like 'ESET%'" get name,versionVerify Fix Applied:
Verify ESET version is updated beyond vulnerable versions (17.2.7.0 for v17, 18.0.12.0 for v18)📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in Windows Security logs
- ESET service path manipulation attempts
Network Indicators:
- Local privilege escalation typically has minimal network indicators
SIEM Query:
EventID=4663 AND ObjectType="File" AND AccessMask="0x10000" (Delete access)🔗 References
- https://support.eset.com/en/ca8612-eset-customer-advisory-link-following-local-privilege-escalation-vulnerability-in-eset-products-for-windows-fixed
- https://packetstormsecurity.com/files/179495/ESET-NOD32-Antivirus-17.2.7.0-Unquoted-Service-Path.html
- https://packetstormsecurity.com/files/182464/ESET-NOD32-Antivirus-18.0.12.0-Unquoted-Service-Path.html
- https://support.eset.com/en/ca8612-eset-customer-advisory-link-following-local-privilege-escalation-vulnerability-in-eset-products-for-windows-fixed
- https://www.exploit-db.com/exploits/51351
- https://www.exploit-db.com/exploits/51964
