JVNDB-2016-008013

Multiple ESET products for macOS vulnerable to improper server certificate verification

Multiple ESET products for macOS are vulnerable to improper server certificate verification (CWE-295).

KOBAYASHI Yasuyuki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

ESET

• ESET Cyber Security 6.1.x to 6.3.70.1
• ESET Cyber Security Pro 6.1.x to 6.3.70.1
• ESET Endpoint Antivirus for macOS 6.0.x to 6.3.85.1
• ESET Endpoint Security for macOS 6.0.x to 6.3.85.1

A man-in-the-middle attack may allow an attacker to alter the data received by the affected products.

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

• ESET Cyber Security 6.4.128.0 (released on February 13, 2017)
  
• ESET Cyber Security Pro 6.4.128.0 (released on February 13, 2017)
  
• ESET Endpoint Antivirus for macOS 6.4.168.0 (released on February 14, 2017)
  
• ESET Endpoint Security for macOS 6.4.168.0 (released on February 14, 2017)

ESET

• ESET : [CA6333] Remote execution and privilege escalation vulnerabilities in ESET products for macOS fixed

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2016-9892

1. JVN : JVN#95898697
2. National Vulnerability Database (NVD) : CVE-2016-9892

• [2017/04/10]
    Web page was published
• [2022/02/07]
    Title was modified
    Overview was modified
    CVSS Severity was modified
    Affected Products : Product was added 
    Impact was modified
    Solution was modified
    Vendor Information : Content was added
    CWE was modified
    CVE : CVE-ID was added
    References : Content was added