Endpoint Protection

Quick question, do SEP clients need to be updated to protect against SYM15-005?

The advisory title says "SYM15-005: Symantec Endpoint Protection Manager and Client Issues", and the affected product content says "Symantec Endpoint Protection".

Thanks, Steve.

It affects 12.1.5 and prior so you need to upgrade to 12.1.6.

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150617_00

Overview

Symantec Endpoint Protection (SEP) 12.1.6 addresses vulnerabilities that were found in prior releases.  These include an authorized but less-privileged administrator able to attempt a blind SQL injection in the SEP Manager (SEPM) console through PHP prepared statements;  a local Denial of Service (DoS) due to the ability to create a deadlock in system functionality preventing complete system shutdown and a local elevation of privilege potential through a dll pre-loading weakness. These issues could result in potential access to unauthorized data, inability to shut down or restart a system without doing a hard power cycle or an authorized but non-privileged user possibly being able to elevate their access to SYSTEM on a local client system.

Affected Products

So clients and the SEPM both need to be updated? Not just the SEPM?

Looks like both.

This relates to clients:

SEP is susceptible to a local denial of service due to a deadlock condition in sysplant.sys.  A local user can create a local denial of service by running a specifically formatted call resulting in the windows system unable to fully shutdown. Resolution requires a hard power cycle to shut down and restart the system.

SEP is affected by potential dll loading issues resulting from improper path restrictions in some file directories not properly restrict the loading of external libraries.  An authorized malicious local user with access to a system could potentially insert a specifically-crafted file in one of the susceptible directory. Such an attack would then need to entice an authorized user to load a specifically formatted file from an alternate file location or network share.  Successful exploitation could allow unauthorized arbitrary code to be executed with system permissions.

OK. Thanks Brian. The advisory title suggested just SEPM, but the contents suggested clients may be affected as well.

Yea after looking further it is clients as well because of sysplant:

SEP is susceptible to a local denial of service due to a deadlock condition in sysplant.sys.  A local user can create a local denial of service by running a specifically formatted call resulting in the windows system unable to fully shutdown. Resolution requires a hard power cycle to shut down and restart the system.

SEP is affected by potential dll loading issues resulting from improper path restrictions in some file directories not properly restrict the loading of external libraries.  An authorized malicious local user with access to a system could potentially insert a specifically-crafted file in one of the susceptible directory. Such an attack would then need to entice an authorized user to load a specifically formatted file from an alternate file location or network share.  Successful exploitation could allow unauthorized arbitrary code to be executed with system permissions.

Thanks Brian.

You're welcome!