ESET has released patches for several of its endpoint and server security products to address a high-severity vulnerability that could have been exploited to cause web browsers to trust sites that should not be trusted.
The flaw, tracked as CVE-2023-5594, affected the SSL/TLS protocol scanning feature present in ESET products. It could have caused browsers to trust websites with certificates signed with outdated and insecure algorithms.
“The vulnerability in the secure traffic scanning feature was caused by improper validation of the server’s certificate chain,” ESET explained in its advisory.
It added, “An intermediate certificate signed using the MD5 or SHA1 algorithm was considered trusted, and thus the browser on a system with the ESET secure traffic scanning feature enabled could be caused to trust a site secured with such a certificate.”
The list of affected ESET products includes NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus, Endpoint Security, Server Security, Mail Security, Security for Microsoft SharePoint Server, and File Security for Microsoft Azure.
Patches have been rolling out via automatic product updates since November 21 — no user interaction is required to install the fix.
The vulnerability was reported to ESET by an individual who wished to remain anonymous. The cybersecurity firm says it’s not aware of any attacks exploiting this vulnerability.