ESET has addressed a vulnerability (CVE-2023-5594, CVSS score 7.5) in the Secure Traffic Scanning Feature, preventing potential exploitation that could lead web browsers to trust websites using certificates signed with outdated and insecure algorithms.
The issue resides in the SSL/TLS protocol scanning feature implemented in ESET products.
“ESET was made aware of a vulnerability in its SSL/TLS protocol scanning feature, which is available in ESET products listed in the Affected products section below. This vulnerability would cause a browser to trust a site with a certificate signed with an obsolete algorithm that should not be trusted.” reads the advisory.
The root cause of the problem was the improper validation of the server’s certificate chain.
“An intermediate certificate signed using the MD5 or SHA1 algorithm was considered trusted, and thus the browser on a system with the ESET secure traffic scanning feature enabled could be caused to trust a site secured with such a certificate.” continues the advisory.
The security firm released security patches for several products. ESET is not aware of attacks in the wild that exploited this flaw.
Below is the list of affected products:
The security firm addressed the issue with the release of the Internet protection module 1464 which is being distributed via automatic product updates.
(SecurityAffairs – hacking, Secure Traffic Scanning Feature)