CVE-2023-5594

Name of the Vulnerable Software and Affected Versions ESET NOD32 versions (affected versions not specified) ESET Internet Security versions (affected versions not specified) ESET Smart Security Premium versions (affected versions not specified) ESET Security Ultimate versions (affected versions not specified) ESET Endpoint Antivirus for Windows versions (affected versions not specified) ESET Endpoint Security for Windows versions (affected versions not specified) ESET Endpoint Antivirus for Linux versions (affected versions not specified) ESET Server Security for Windows Server versions (affected versions not specified) ESET Mail Security for Microsoft Exchange Server versions (affected versions not specified) ESET Mail Security for IBM Domino versions (affected versions not specified) ESET Security for Microsoft SharePoint Server versions (affected versions not specified) ESET File Security for Microsoft Azure versions (affected versions not specified) ESET Server Security for Linux versions (affected versions not specified)

Description The issue is related to improper validation of the server's certificate chain in the secure traffic scanning feature, which considers intermediate certificates signed using the MD5 or SHA1 algorithm as trusted. This could allow a remote attacker to bypass security protections, causing a browser to trust websites that should not be trusted. The vulnerability is caused by errors in the certificate authentication procedure. There have been no reported attacks exploiting this issue.

Recommendations For all affected ESET products, updates have been automatically rolled out since November 21, and no user action is required to install the patch. As a temporary workaround, consider disabling the secure traffic scanning feature until the update is applied. Restrict access to websites with certificates signed using outdated algorithms like MD5 or SHA1 to minimize the risk of exploitation. Avoid using the secure traffic scanning feature in sensitive environments until the patch is confirmed to be installed. At the moment, there is no additional information about other mitigation measures.