CVE-2016-9892

CWE-295Improper Certificate Validation3 documents3 sources
Severity
5.9MEDIUM
EPSS
0.2%
top 59.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Eset Endpoint AntivirusEset Endpoint Security
Timeline
PublishedMar 2
Latest updateMay 17

Description

The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-3cqj-j486-jhq2: The esets_daemon service in ESET Endpoint Antivirus for macOS before 62022-05-17
CVEList
CVE-2016-9892: The esets_daemon service in ESET Endpoint Antivirus for macOS before 62017-03-02
CVE-2016-9892 (MEDIUM CVSS 5.9) | The esets_daemon service in ESET En | cvebase.io