1. Symantec/
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Multiple Security Issues

SYM16-011

June 28, 2016

Revisions


None


Severity


CVSS Base Score


CVSS2 Vector


Server-Side Request Forgery authentication interface - Medium


v2 4.8


v3 5.4


AV:A/AC:M/Au:M/C:C/I:N/A:N


AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N


Authentication Lock threshold bypass brute force attack - High


v2 7.1


v3 7.3


AV:A/AC:L/Au:S/C:C/I:C/A:N


AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N


Sysadmin authenticated listing disclosure - Low


v2 2.2


v3 2.4


AV:A/AC:L/Au:M/C:P/I:N/A:N


AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N


Server credentials disclosure - Medium


v2 4.0


v3 4.5


AV:A/AC:H/Au:M/C:C/I:N/A:N


AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N


Multiple XSS in SEPM management script code - Medium


v2 6.8


v3 6.7


AV:A/AC:M/Au:S/C:C/I:C/A:N


AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N


PHP JSESSIONID accessible on Web Server - Medium


v2 6.5


v3 6.8


AV:A/AC:H/Au:S/C:C/I:C/A:C


AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H


Multiple SEPM CSRF - High


v2 7.0


v3 7.1


AV:A/AC:M/Au:M/C:C/I:C/A:C


AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


Open Redirect in external URL .php script - Medium


v2 4.1


v3 4.1


AV:A/AC:L/Au:S/C:P/I:P/A:N


AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N


DOM-based link manipulation in php script - Medium


v2 5.2


v3 5.2


AV:A/AC:M/Au:S/C:N/I:C/A:N


AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N


Strict transport security not enforced on port 8445 - Medium


v2 4.1


v3 4.6


AV:A/AC:L/Au:S/C:P/I:P/A:N


AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N


Web Root directory traversal in management console - Medium


v2 4.1


v3 4.6


AV:A/AC:L/Au:S/C:P/I:P/A:N


AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N


SEP Client Device Control Restriction Local Race Condition Bypass - Low


v2 2.4


v3 2.8


AV:L/AC:H/Au:S/C:P/I:P/A:N


AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N



Overview


Symantec Endpoint Protection (SEP) was susceptible to a number of security vulnerabilities potentially resulting in a user being able to leverage elevated privilege or access to unauthorized files on the management console.


Additionally, a race condition in the device control of a SEP client could permit bypassing security restrictions allowing some level of access to file download or upload on a client system.


Affected Products


Product


Version


Build


Solution


Symantec Endpoint Protection Manager and client


12.1


All


Update to 12.1-RU6-MP5



Details


The management console for SEP, SEPM, contains a number of security vulnerabilities that could be used by a lower-privileged user or by an unauthorized user to elevate privilege or gain access to unauthorized information on the management server. Exploitation attempts of these vulnerabilities requires access to the SEP Management console.


Cross-site scripting and cross-site request forgery vulnerabilities exist in interface scripts and forms used to manage the console and to generate status and activity reports. The management console does not provide sufficient validation or sanitation of incoming input. It also provides inadequate CSRF protection. Successful targeting could allow an unauthorized or less privileged user to leverage console access or hijack the browser session being used to manage the console. This could possibly allow unauthorized user-level access to the management console which could be leveraged to elevate privileges. Both the XSS and CSRF issues are the result of insufficient validation and sanitation of user input and server output. Exploitation of these issues in the management console could be performed by tricking a properly authenticated user into accessing a maliciously-crafted link or by a less-privileged but authorized user able to manipulate existing URLs on the console. Depending on the nature of the link it is possible for execution of arbitrary html requests and php scripts in the context of the targeted users browser. The management console normally allows access to specified users/administrators only.


A server-side request forgery exists where an attacker could make it appear that the server is actually making the requests in order to bypass existing access controls and attempt to scan unauthorized content on the internal network.


An authorized but non-privileged network user with access the SEPM authorization window could bypass the lock threshold limits possibly allowing a brute-force password attack in an effort to recover valid management console passwords.


An authorized management console administrator could manipulate GET object requests to gather information on other valid system administrator accounts. This information could potentially be leveraged further to brute-force user passwords as described above.


A reporting URL used to route generated reports externally to any authorized URL is susceptible to an open redirect vulnerability that could have allowed an authorized but less-privileged user to redirect an unsuspecting privileged user to an external URL to attempt further exploitation, e.g. phishing.


An authorized network user with authorized access to the management console could potentially exploit an existing DOM link manipulation weakness (a type of XSS) in existing management scripts to attempt attacks against managed client systems.


HTTP Strict Transport Security was not effectively enabled on port 8445, the SEPM listening port. This could lead to information leakage or redirection-type attacks.


There is a limited access directory traversal in the management console which could allow a less-privileged user to access files/directories on the web root.


Note: In a typical installation the Symantec Endpoint Protections management console should not be accessible external to the network environment and internal access should be restricted to specified users/administrators. Web browsers used by authorized users to access the management console should never be used for browsing of external web sites during an active administrative session. These restrictions greatly reduce exposure to external attempts of these types.


On a SEP client, a race condition existed between when a USB drive is inserted in a client-system USB port and when SEPs device manager exercises access control over the external device. During this brief delay a user with local access to the system could download unauthorized sensitive files from the client system to the unauthorized USB device or possibly upload arbitrary file content to the local system from the external USB device.


Symantec Response
Symantec product engineers confirmed that some of these issues had been found through internal testing and were pending release of SEP 12.1-RU6-MP5 but confirmed external submission of these issues in previous releases. Symantec engineers continue to review related functionality to further enhance the overall security of Symantec Endpoint Protection. Symantec has released Symantec Endpoint Protection 12.1 RU6 MP5, currently available to customers through normal support locations. Customers are advised to immediately update to RU6-MP5 as soon as possible to address security issues identified in this advisory.


Symantec is not aware of exploitation of or adverse customer impact from these issues.


Update Information


Symantec Endpoint Protection Manager 12.1-RU6-MP5 is available from Symantec File Connect.


Best Practices


As part of normal best practices, Symantec strongly recommends the following:


  • Restrict access to administrative or management systems to authorized privileged users.

  • Restrict remote access, if required, to trusted/authorized systems only.

  • Run under the principle of least privilege where possible to limit the impact of potential exploit.

  • Keep all operating systems and applications current with vendor patches.

  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.

  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.


Credit


Symantec would like to thank Huy-Ngoc Dau, with Deloitte France for reporting information on CVE-2016-3647, 3648, 3649, 3650, 3651 and working with us as we addressed them.


Symantec would like to thank John Page aka hyp3rlinx, for reporting information on CVE-2016-3652, 3653, and 5304 and working with us as we addressed them.


Symantec would like to thank Josh Meyer, with the MITRE Corporation, for reporting information on CVE-2016-5304, 5305, 5306, and 3651 and working with us as we addressed them.


Symantec would like to thank Che Lin Law, with MWR InfoSecurity, for reporting information on CVE-2016-5307 and working with us as we addressed it.


Symantec would like to thanks Chris Salerno, with Security Risk Advisors, for reporting information on CVE-2015-8801 to us and working with us as we addressed it.




References


CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org/cve), which standardizes identifiers for security problems.



BID: Symantec Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database.


CVE


BID


Description


CVE-2016-3647


91433


Server-Side Request Forgery authentication interface


CVE-2016-3648


91441


Authentication Lock threshold bypass brute force attack


CVE-2016-3649


91440


Sysadmin authenticated listing disclosure


CVE-2016-3650


91432


Server credentials disclosure


CVE-2016-3651


91445


PHP JSESSIONID accessible on Web Server


CVE-2016-3652


91444


Multiple XSS in SEPM management script code


CVE-2016-3653


91442


Multiple SEPM CSRF


CVE-2016-5304


91447


Open Redirect in external URL .php script


CVE-2016-5305


91448


DOM-based link manipulation in php script


CVE-2016-5306


91449


Strict transport security not enforced on port 8445


CVE-2016-5307


91443


Web Root directory traversal in management console


CVE-2015-8801


91446


SEP Client Device Control Restriction Local Race Condition Bypass



REPORTING VULNERABILITIES TO SYMANTEC

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process document outlining the process we follow in addressing suspected vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers’ data. Symantec is committed to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle (SDLC) practice applicable to Symantec’s product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process.
Please contact secure@symantec.com if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
COPYRIGHT (C) BY SYMANTEC CORP.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Last modified on: June 28, 2016
Security Response Blog
The State of Spam