Improper following of a certificate's chain of trust in ESET security products
CVE-2023-5594

7.5HIGH

Key Information:

Vendor: ESET, spol. s r.o.
Status: ESET NOD32 Antivirus; ESET Internet Security; ESET Smart Security Premium; ESET Security Ultimate
Vendor: CVE Published:; 21 December 2023

Badges

📰 News Worthy

What is CVE-2023-5594?

The vulnerability involves a flaw in the secure traffic scanning feature of ESET Security Products, where the system fails to properly validate the server’s certificate chain. It erroneously considers intermediate certificates signed with insecure algorithms like MD5 or SHA1 as trusted, which can lead to potential security breaches. This oversight may allow malicious actors to exploit weak trust relationships, compromising the security of communications.

Affected Version(s)

ESET Endpoint Antivirus 1464

ESET Endpoint Antivirus for Linux 10.0 and above 1464

ESET Endpoint Security 1464

News Articles

TheCyberThrone

CVE-2023-5594

ESET Fixes a High Severity Vulnerability in its Product - CVE-2023-5594

ESET has addressed a high severity vulnerability in the Secure Traffic Scanning Feature, preventing potential exploitation that could lead web browsers to trust websites using certificates signed with outdated and insecure algorithms. The vulnerability tracked as CVE-2023-5594, with a CVSS score 7.5...

References

https://support.eset.com/en/ca8562-eset-customer-advisory...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

📰
First article discovered by TheCyberThrone
Dec 22, 2023
Vulnerability published
Dec 21, 2023
Vulnerability Reserved
Oct 16, 2023

ESET, spol. s r.o.

Badges

What is CVE-2023-5594?

Affected Version(s)

News Articles

ESET Fixes a High Severity Vulnerability in its Product - CVE-2023-5594

References

CVSS V3.1

Timeline