[Japanese]

JVNDB-2016-008013

Multiple ESET products for macOS vulnerable to improper server certificate verification

Overview

Multiple ESET products for macOS are vulnerable to improper server certificate verification (CWE-295).

KOBAYASHI Yasuyuki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


ESET
  • ESET Cyber Security 6.1.x to 6.3.70.1
  • ESET Cyber Security Pro 6.1.x to 6.3.70.1
  • ESET Endpoint Antivirus for macOS 6.0.x to 6.3.85.1
  • ESET Endpoint Security for macOS 6.0.x to 6.3.85.1

Impact

A man-in-the-middle attack may allow an attacker to alter the data received by the affected products.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

  • ESET Cyber Security 6.4.128.0 (released on February 13, 2017)
  • ESET Cyber Security Pro 6.4.128.0 (released on February 13, 2017)
  • ESET Endpoint Antivirus for macOS 6.4.168.0 (released on February 14, 2017)
  • ESET Endpoint Security for macOS 6.4.168.0 (released on February 14, 2017)
Vendor Information

ESET
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-9892
References

  1. JVN : JVN#95898697
  2. National Vulnerability Database (NVD) : CVE-2016-9892
Revision History

  • [2017/04/10]
      Web page was published
  • [2022/02/07]
      Title was modified
      Overview was modified
      CVSS Severity was modified
      Affected Products : Product was added 
      Impact was modified
      Solution was modified
      Vendor Information : Content was added
      CWE was modified
      CVE : CVE-ID was added
      References : Content was added