1. /
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Multiple Issues

SYM12-008

May 22, 2012

Revision History
5/23/2012 Proof-of-Concept information released publicly for CVE-2012-0289. Clarification on affected product component and versions.

Severity

CVSS2

Base Score

Impact

Exploitability

CVSS2 Vector

File Include/Remote Access elevation of Privilege - Medium

6.82

6.44

8.58

AV:N/AC:M/Au:N/C:P/I:P/A:P

Directory Traversal File Deletion - Medium

4

4.9

4.9

AV:A/AC:L/Au:N/C:C/I:C/A:N

 

Local Access Elevation of Privilege - Low

3.2

4.9

3.1

AV:N/AC:H/Au:N/C:N/I:P/A:P


Exploit Publicly Available:

Yes for CVE-2012-0289, Local Access Elevation of Privilege.


Overview

Specific versions of the Symantec Endpoint Protection Management Console in Symantec Endpoint Protection 11.x and Symantec Network Access Control 11.x are susceptible to a potential local access elevation of privilege. 

The Management Console in Symantec Endpoint Protection 12.1 is susceptible to  remote access directory traversal/file deletion through a vulnerable service.  A follow-on attack based on the success of the file deletion allows for a file insertion/code execution potentially resulting in unauthorized privilege escalation.

Affected Products

Local Access Elevation of Privilege

Product

Version

Build

Solution(s)

Symantec Endpoint Protection(Management Console)

11.0 RU6(11.0.600x)

11.0 RU6-MP1(11.0.6100)

11.0 RU6-MP2(11.0.6200)

11.0 RU6-MP3(11.0.6300)

11.0 RU7(11.0.700x)

11.0 RU7-MP1(11.0.710x)

All

SEP 11 RU7 MP2 or later
(Management Console)

Symantec Network Access Control(Management Console)

11.0 RU6(11.0.600x)

11.0 RU6-MP1(11.0.6100)

11.0 RU6-MP2(11.0.6200)

11.0 RU6-MP3(11.0.6300)

11.0 RU7(11.0.700x)

11.0 RU7-MP1(11.0.710x)

All

SNAC 11 RU7 MP2 or later
(Management Console)

NOTE:  Symantec Endpoint Protection 12.1.x is NOT impacted by this issue

 

Remote Access Directory Traversal/File Deletion and Elevation of Privilege

Product

Version

Build

Solution(s)

Symantec Endpoint Protection Manager

12.1 (12.1.671)
12.1 RU1 (12.1.1000)

All

SEP 12.1 RU1 MP1

            NOTE: Only Symantec Endpoint Protection 12.1.x is impacted by these issues

Details

Symantec was notified of a vulnerable service running on the Symantec Endpoint Protection 12.1 Manager. Successful access to this service can potentially allow an unauthorized remote attacker to launch a two-stage exploit attempt against the targeted server.

 In the first stage, an attacker gains access to and manipulates the vulnerable Manager service resulting in directory traversal and file deletion activity to remove specific files. A successful attempt could result in loss of Manager console functionality even if the second stage of the attack is unsuccessful. 

A successful initial exploit attempt sets up the second stage.  Leveraging the initial file removal, allows an attacker to potentially insert and execute arbitrary code resulting in unauthorized access in the context of the targeted application which is System.

In a recommended installation, the Symantec Endpoint Protection Manager should be hosted behind the corporate firewall with restricted external access.  If necessary to deploy the Manager outside the corporate network, Symantec strongly recommends configuring client/server communication only and blocking all access to the management console.

 

An unauthorized attacker, able to leverage network access or entice an authorized network user to download malicious content or visit a malicious site, could still attempt an attack against the Manager interface.


Symantec was also notified of a local access elevation of privilege arbitrary code execution in specific versions of Symantec Endpoint Protection Management Console and Symantec Network Access Control Management Console 11.x.   The arbitrary code execution is caused by inadequate boundary and error checking within one of the code functions.

 

To successfully exploit this issue, the attacker must have access to an authorized but unprivileged account on the local server that hosts either Symantec Network Access Control or Symantec Endpoint Protection 11.x management consoles.  It is then possible for this user to potentially execute a maliciously formatted script resulting in a buffer overflow within a specific function used in both Symantec Network Access Control and Symantec Endpoint Protection.  Successfully targeting this function could potentially allow an unprivileged user to elevate their access on the targeted system.

Symantec Response
Symantec product engineers verified the reported issues and resolved these issues in the Symantec Endpoint Protection releases identified above.

Update Information

Updates are available through customers’ normal support/download locations.

Best Practices
As part of normal best practices, Symantec strongly recommends:

·         Restrict access to administration or management systems to privileged users.

·         Restrict remote access, if required, to trusted/authorized systems only.

·         Run under the principle of least privilege where possible to limit the impact of exploit by threats.

·         Keep all operating systems and applications updated with the latest vendor patches.

·         Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.

·         Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Credit
Symantec credits Anil Aphale, aka 41.w4r10r, with ControlCase India Pvt Ltd for the local access elevation of privilege issue reported in Symantec Endpoint Protection and Symantec Network Access Control 11.x

.

Symantec credits Andrea Micalizzi. aka rgod, working through TippingPoint’s ZeroDay Initiative for the directory traversal/file deletion and the file include/remote elevation of privilege multi-stage attack reported in Symantec Endpoint Protection Manager 12.1

 

References

Security Focus, http://www.securityfocus.com, has assigned the following Bugtraq IDs (BIDs) to this issue for inclusion in the Security Focus vulnerability database.

 

BID 51795 for the local access elevation of privilege issue

BID 53182 for the directory traversal/file deletion issue

BID 53183 for the file include/remote elevation of privilege issue

These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (
http://cve.mitre.org). The CVE initiative has assigned

 

CVE-2012-0289 for the local access elevation of privilege issue.

CVE-2012-0294 for the directory traversal/file deletion issue

CVE-2012-0295 for the file include/remote access elevation of privilege issue

 

 

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information.
Last modified on: May 22, 2012
Security Response Blog
The State of Spam