1. Symantec/
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Data Center Security: Server Advanced, Multiple Security Issues on Management Server and Protection Policies Rule Bypass

SYM15-001

January 19, 2015

Revisions

 

None

 

Severity

 

CVSS2

Base Score

Impact

Exploitability

CVSS2 Vector

SCSP/SDCS:SA Management Server Agent Control Interface RCE – High

NOTE: Does NOT affect CSP 5.2.9 MP6 or DCS:SA 6.0 MP1

7.4

10

4.4

AV:A/AC:M/Au:S/C:C/I:C/A:C

SCSP/SDCS:SA Management Server SQL Injection – High

NOTE: Does NOT affect CSP 5.2.9 MP6 or DCS:SA 6.0 MP1

7.4

10

4.4

AV:A/AC:M/Au:S/C:C/I:C/A:C

SCSP/SDCS:SA Management Server Non-Persistent XSS - Low

3.8

4.9

4.4

AV:A/AC:M/Au:S/C:P/I:P/A:N

SCSP/SDCS:SA Management Server Information Disclosure - Low

2.7

2.9

5.1

AV:A/AC:L/Au:S/C:P/I:N/A:N

SCSP/SDCS:SA Agent Default Protection Policy by-pass permits access to  system functionality that should be authorized access restricted - Medium

6.6

10

2.7

AV:L/AC:M/Au:S/C:C/I:C/A:C

 

 

Overview

The management server for Symantec Critical System Protection (SCSP) 5.2.9 and Data Center Security: Server Advanced (SDCS:SA) 6.0.x is susceptible to security issues which could enable privileged access to the management server.  Rules in the prevention policies could be bypassed if deployed to SCSP/SDCS:SA agents to restrict access to specific host functionality.

 

 

Affected Products

Product

Version

Build

Solution(s)

Symantec Critical System Protection Server and Agents

5.2.9.x

All

SCSP 5.2.9 MP6 or update to 6.0 MP1 SDCS:SA. Apply Protection Policy Modifications Described Below

Symantec Data Center Security: Server Advanced Server and Agents

6.0

All

Update to 6.0 MP1. Apply Protection Policy Modifications Described Below

Symantec Data Center Security: Server Advanced Server and Agents

6.0 MP1

All

Apply Protection Policy Modifications Described Below

 

 

Details

Agent Control Interface RCE - The management server agent control interface for SCSP 5.2.9 MP5 and below and SDCS:SA  6.0 does not properly validate the content of log files being uploaded from client systems for processing.  This could allow unauthorized arbitrary code to be included in the log file content on a client system.  When uploaded to the server, this arbitrary code could potentially be run during normal processing of the log file content on the server.  If successfully exploited an attacker could potentially gain access to a command shell with elevated privileges on the server. 

 

NOTE: SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 is not affected by this issue.

 

SCSP/SDCS:SA Management Server SQL Injection - SCSP 5.2.9 and SDCS:SA 6.0 is susceptible to SQL injection.  An attacker who can gain access to the proper port on the management server could pass a specifically crafted HTTP request which could potentially execute arbitrary SQL commands. If successful, the attacker could possibly add themselves to the server as an administrator. 

 

Symantec recommends always configuring out of the box prevention policy with local network information and applying it to the management server to limit access to local network or just security administrators.

 

NOTE:  SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 is not affected by this issue.

 

SCSP/SDCS:SA Management Server Non-persistent XSS - The Management Console server does not properly filter user input.  This makes the server potentially susceptible to non-persistent cross-site scripting issues. 

 

Workaround/mitigation information provided below.

 

SCSP/SDCS:SA Management Server Information Disclosure – The management server does not properly restrict internal server information in certain instances.  Successful access to this information could potentially provide reconnaissance planning data to a non-privileged, non-authorized user.

 

Note:  In a normal installation, the SCSP or SDCS:SA Management Console should not be accessible external to the network, providing some mitigation against external threat.  Attempts to exploit issues would likely come from an authorized but malicious network user.   However, an external attacker could potentially leverage known methods of trust exploitations in an attempt to gain access to a client system from which to launch an attack attempt on the server.  These exploitation attempts generally require enticing an authorized user to access a malicious link in a context such as a website or in an email.

 

Workaround/mitigation information provided below.

 

SCSP/SDCS:SA Agent Default Protection Policy By-pass - SCSP and SDCS:SA default protection policies are designed to restrict access to specific host functionality.  The default protection policies provided do not sufficiently restrict access in some cases.  An authenticated user could potentially bypass deployed protection policies gaining unauthorized access to restricted functionality on a host. 

Note:  SCSP/SDCS:SA Protection Policies provide another layer of restriction to further complement existing OS user authorization. Circumventing the Protection Policies does NOT provide any additional levels of access to the authenticated user other than what their authorization level would permit under normal OS security settings.

 

See Mitigation Section below for information on customizing protection policies to address this.

 

Symantec is not aware of exploitation of or adverse customer impact from this issue.

 

Update Information

SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 are available through Symantec File Connect.

 

Symantec Response and Mitigations/Workarounds

 

Symantec recommends customers upgrade to the latest SDCS:SA 6.0 MP1.  However, if unable to upgrade immediately, there are some workarounds available to mitigate these issues related to SCSP/SDCS:SA server and agents.

 

SCSP/SDCS:SA Server mitigation for remote agent RCE

 

Symantec highly recommends upgrade to SCSP 5.2.9MP6 or SDCS:SA 6.0 MP1, however if unable to at this time:

 

1.      If a customer has another physical drive available, edit the CSP/DCS:SA Server configuration to change the bulk log files directory so the directory resides on a different physical drive than where the CSP/DCS:SA Server is installed.

2.      Install a CSP/DCS agent on the server and apply a Prevention policy

 

 

SCSP/SDCS:SA Management Console Non Persistent XSS

SCSP/SDCS:SA Management Console  Information Disclosure

  1. Use the Java console
  2. Note that ajaxswing web console will not be shipping in future releases

 

SCSP/SDCS:SA Agent Security Policy By-Pass Mitigation

 

Implement security policy configurations provided in TECH227679,  http://www.symantec.com/docs/TECH227679

 

Best Practices
As part of normal best practices, Symantec strongly recommends the following:

  • Restrict access to administrative or management systems to authorized privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Run under the principle of least privilege where possible to limit the impact of potential exploit.
  • Keep all operating systems and applications current with vendor patches.
  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

 

Credit

 

Symantec would like to thank Balint Varga-Perke with Silent Signal working through Beyond Security for reporting CVE-2014-3440 and working with Symantec as it was addressed.

 

Symantec would like to thank Stefan Viehbock with SEC-Consult for reporting CVE-2014-7289, CVE-2014-9224, 9225, 9226 and working with Symantec as they were addressed

 

References

BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to this issue for inclusion in the Security Focus vulnerability database.

 

CVE: This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. 

 

CVE

BID

Description

CVE-2014-3440

BID 72091

SCSP/SDCS:SA Management Server Agent Control Interface RCE

CVE-2014-7289

BID 72092

SCSP/SDCS:SA Management Server SQL Injection

CVE-2014-9224

BID 72093

SCSP/SDCS:SA Management Server Non-Persistent XSS

CVE-2014-9225

BID 72094

SCSP/SDCS:SA Management Server Information Disclosure

CVE-2014-9226

BID 72095

SCSP/SDCS:SA Client Default Security Protection Policy By-pass

REPORTING VULNERABILITIES TO SYMANTEC

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process document outlining the process we follow in addressing suspected vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers’ data. Symantec is committed to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle (SDLC) practice applicable to Symantec’s product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process.
Please contact secure@symantec.com if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
COPYRIGHT (C) BY SYMANTEC CORP.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Last modified on: January 19, 2015
Security Response Blog
The State of Spam