ESB-2017.2889 - [Win] Symantec Endpoint Protection: Multiple vulnerabilities 2017-11-15

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2889
               Symantec Endpoint Protection Multiple Issues
                             15 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec Endpoint Protection
Publisher:         Symantec
Operating System:  Windows
Impact/Access:     Increased Privileges           -- Existing Account
                   Delete Arbitrary Files         -- Existing Account
                   Provide Misleading Information -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13681 CVE-2017-13680 CVE-2017-6331

Original Bulletin: 
   https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20171106_00

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories Relating to Symantec Products - Symantec Endpoint
Protection Multiple Issues

SYM17-011

November 6, 2017

OVERVIEW

Symantec has released a set of updates to address three issues in the Symantec
Endpoint Protection (SEP) product.

Highest severity issue: High
Number of issues: 3

 
ISSUES

This update applies to the following issues:

TITLE                        CVE            SEVERITY

SEP Privilege Escalation     CVE-2017-13681 High

SEP Arbitrary File Deletion  CVE-2017-13680 Medium

SEP Tamper-Protection Bypass CVE-2017-6331  Low


AFFECTED PRODUCTS

Symantec has verified the issues and addressed them in product updates for SEP
outlined below.
 

Enterprise

The following Symantec enterprise products are affected.

PRODUCT                                     SOLUTION

Symantec Endpoint Protection prior to SEP   Upgrade to Symantec Endpoint
12.1 RU6 MP9 for CVE-2017-13681             Protection SEP 12.1 RU6 MP9

Symantec Endpoint Protection prior to SEP   Upgrade to Symantec Endpoint
12.1 RU6 MP9 & SEP 14 RU1 for               Protection SEP 12.1 RU6 MP9 or SEP
CVE-2017-13680                              14 RU1

Symantec Endpoint Protection 12.1.X & prior Upgrade to Symantec Endpoint
to SEP 14 RU1 for CVE-2017-6331             Protection SEP 14 RU1


 

ISSUE DETAILS

 

Symantec Endpoint Protection Privilege Escalation

CVE-2017-13681

BID: 101504

Severity: High (CVSSv3: 8.8) (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Impact: Privilege escalation

Exploitation: None

Date patched: October 20, 2017
 

The Symantec Endpoint Protection Windows endpoint could be susceptible to a
privilege escalation vulnerability, which is a type of issue that allows a user
to gain elevated access to resources that are normally protected at lower
access levels. In the circumstances of this issue, the capability of exploit is
limited by the need to perform multiple file and directory writes to the local
filesystem and as such, is not feasible in a standard drive-by type attack.

 

Symantec Endpoint Protection Arbitrary File Deletion

CVE-2017-13680

BID: 101503

Severity: Medium (CVSSv3: 6.5) (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

Impact: Arbitrary File Deletion

Exploitation: None

Date patched: October 20, 2017
 

The Symantec Endpoint Protection Windows endpoint can encounter a situation
whereby an attacker could use the product's UI to perform unauthorized file
deletes on the resident file system.

 

Symantec Endpoint Protection Tamper-Protection Bypass

CVE-2017-6331

BID: 101502

Severity: Low (CVSSv3: 2.8) (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Impact: Tamper-Protection Bypass

Exploitation: None

Date patched: October 20, 2017
 
The Symantec Endpoint Protection Windows endpoint can encounter an issue of
Tamper-Protection Bypass, which is a type of attack that bypasses the real time
protection for the application that is run on servers and clients. Tamper
Protection protects Symantec processes and internal objects from these attacks
that non-Symantec processes such as worms, Trojan horses, viruses, and security
risks could make. Note that in this circumstance, the tamper-protection bypass
only allows altering a small amount of text in one element of the UI.


MITIGATION

This issues listed above were validated by the product team engineers. A set of
Symantec Endpoint Protection updates, versions SEP 12.1 RU6 MP9 and SEP 14 RU1,
have been released which address the aforementioned issues. Please ensure you
apply the necessary patches and upgrades accordingly. Symantec Endpoint
Protection's latest releases are available to customers through normal support
channels. At this time, Symantec is not aware of any exploitations or adverse
customer impact from these issues.

Note1: For customers running SEP 14, SEP 14 MP1 or SEP 14 MP2, only the low and
medium severity issues articulated in the aforementioned advisory details
affect the updated SEP 14 product line. The high severity issue does not impact
any instances of SEP 14.

Note2: The aforementioned vulnerabilities only pertain to the SEP client. The
SEPM manager is not affected.
 
 
ACKNOWLEDGEMENTS

  * Matthieu Buffet on behalf of ANSSI (CVE-2017-13681)
  * Clément Lavoillotte @clavoillotte (CVE-2017-13680)
  * John Page AKA hyp3rlinx Apparitionsec (CVE-2017-6331)
 

REVISIONS

- -          Minor edit on Nov 6th, 2017

- -          Added details on specific SEP endpoints

- -          Minor edit to adjust finder contact details


REPORTING VULNERABILITIES TO SYMANTEC

Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process
document outlining the process we follow in addressing suspected
vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software
development and implements security review into various stages of the software
development process. Additionally, Symantec is committed to the security of its
products and services as well as to its customers' data. Symantec is committed
to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle
(SDLC) practice applicable to Symantec's product and service teams as well as
other software security related activities and policies used by such teams.
This document is intended as a summary and does not represent a comprehensive
list of security testing and practices conducted by Symantec in the software
development process.
Please contact secure@symantec.com if you believe you have discovered a
security issue in a Symantec product. A member of the Symantec Software
Security team will contact you regarding your submission to coordinate any
required response. Symantec strongly recommends using encrypted email for
reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
Symantec Product Vulnerability Management PGP Key
COPYRIGHT (C) BY SYMANTEC CORP.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Software Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com.
Last modified on: November 6, 2017
Security Response Blog
The State of Spam
Symantec | United States

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgt3r4x+lLeg9Ub1AQg+5Q//b6tCHVp/DmKHuUs54qOpqlOFA7Q07uic
Vlx3+Gno/g3t82JFRgst8FFB9iuxwhDiMXBWfLn914HOuuQViDHU6EWkjjc0v02/
3K4gHFtzgGsrDVIU9l+25itjv8veUbCbbuehQvg+Yhi/lOIXboUddJDTc+v2bHdm
UnFuOliv4OODhfaNrYZcXwlVhCW6dLDtvG81F6gBNMTUTJUDmgymmWdrXkosARg5
xx+JGxFSu6dxQJC3gPtI6D4e74hgTpUGpc/AN16giAzH1GjJ3d0SpjYNXvUNX1Bx
qAdNYmuv7szjypzVY6Fp1gZCm8BtRnsRfAuLfLwKbuAg03WcjPFGZvXRoGXIxE5D
qQ9oHnSnad4EPiW+DJgFGjkPRkjeOxZ1x9nPJ3jbNHUAIwSV7p/vr4VF8DoMR3Wv
H8hkf6CB2W1z76pxsyYBAy0g+kGan9dUvvdGJOl/CcMQdO8VZtvsjHDgH7ZoQRWk
I/lhavYe0F/LWzBwlnxJb/b5fmfgXQIUQSpBVjXnSnnh8a16XQENzDWN8yV9FN1U
usULx1Wb/TgWRKxvV6i0ycCQE+JcqUpqWFWeZBKQ1I/fM9pl7zn+cxy6pvhjJISR
Cth4vjKISbSh3jUWQnXZlJuvGScdMAJXSyLz0C/fceatrhkE+/pJNt/NIaYQAXmJ
Nba5kuUiY4M=
=bL8I
-----END PGP SIGNATURE-----

« Back to bulletins