Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2889
Symantec Endpoint Protection Multiple Issues
15 November 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Endpoint Protection
Publisher: Symantec
Operating System: Windows
Impact/Access: Increased Privileges -- Existing Account
Delete Arbitrary Files -- Existing Account
Provide Misleading Information -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-13681 CVE-2017-13680 CVE-2017-6331
Original Bulletin:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20171106_00
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisories Relating to Symantec Products - Symantec Endpoint
Protection Multiple Issues
SYM17-011
November 6, 2017
OVERVIEW
Symantec has released a set of updates to address three issues in the Symantec
Endpoint Protection (SEP) product.
Highest severity issue: High
Number of issues: 3
ISSUES
This update applies to the following issues:
TITLE CVE SEVERITY
SEP Privilege Escalation CVE-2017-13681 High
SEP Arbitrary File Deletion CVE-2017-13680 Medium
SEP Tamper-Protection Bypass CVE-2017-6331 Low
AFFECTED PRODUCTS
Symantec has verified the issues and addressed them in product updates for SEP
outlined below.
Enterprise
The following Symantec enterprise products are affected.
PRODUCT SOLUTION
Symantec Endpoint Protection prior to SEP Upgrade to Symantec Endpoint
12.1 RU6 MP9 for CVE-2017-13681 Protection SEP 12.1 RU6 MP9
Symantec Endpoint Protection prior to SEP Upgrade to Symantec Endpoint
12.1 RU6 MP9 & SEP 14 RU1 for Protection SEP 12.1 RU6 MP9 or SEP
CVE-2017-13680 14 RU1
Symantec Endpoint Protection 12.1.X & prior Upgrade to Symantec Endpoint
to SEP 14 RU1 for CVE-2017-6331 Protection SEP 14 RU1
ISSUE DETAILS
Symantec Endpoint Protection Privilege Escalation
CVE-2017-13681
BID: 101504
Severity: High (CVSSv3: 8.8) (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Impact: Privilege escalation
Exploitation: None
Date patched: October 20, 2017
The Symantec Endpoint Protection Windows endpoint could be susceptible to a
privilege escalation vulnerability, which is a type of issue that allows a user
to gain elevated access to resources that are normally protected at lower
access levels. In the circumstances of this issue, the capability of exploit is
limited by the need to perform multiple file and directory writes to the local
filesystem and as such, is not feasible in a standard drive-by type attack.
Symantec Endpoint Protection Arbitrary File Deletion
CVE-2017-13680
BID: 101503
Severity: Medium (CVSSv3: 6.5) (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Impact: Arbitrary File Deletion
Exploitation: None
Date patched: October 20, 2017
The Symantec Endpoint Protection Windows endpoint can encounter a situation
whereby an attacker could use the product's UI to perform unauthorized file
deletes on the resident file system.
Symantec Endpoint Protection Tamper-Protection Bypass
CVE-2017-6331
BID: 101502
Severity: Low (CVSSv3: 2.8) (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Impact: Tamper-Protection Bypass
Exploitation: None
Date patched: October 20, 2017
The Symantec Endpoint Protection Windows endpoint can encounter an issue of
Tamper-Protection Bypass, which is a type of attack that bypasses the real time
protection for the application that is run on servers and clients. Tamper
Protection protects Symantec processes and internal objects from these attacks
that non-Symantec processes such as worms, Trojan horses, viruses, and security
risks could make. Note that in this circumstance, the tamper-protection bypass
only allows altering a small amount of text in one element of the UI.
MITIGATION
This issues listed above were validated by the product team engineers. A set of
Symantec Endpoint Protection updates, versions SEP 12.1 RU6 MP9 and SEP 14 RU1,
have been released which address the aforementioned issues. Please ensure you
apply the necessary patches and upgrades accordingly. Symantec Endpoint
Protection's latest releases are available to customers through normal support
channels. At this time, Symantec is not aware of any exploitations or adverse
customer impact from these issues.
Note1: For customers running SEP 14, SEP 14 MP1 or SEP 14 MP2, only the low and
medium severity issues articulated in the aforementioned advisory details
affect the updated SEP 14 product line. The high severity issue does not impact
any instances of SEP 14.
Note2: The aforementioned vulnerabilities only pertain to the SEP client. The
SEPM manager is not affected.
ACKNOWLEDGEMENTS
* Matthieu Buffet on behalf of ANSSI (CVE-2017-13681)
* Clément Lavoillotte @clavoillotte (CVE-2017-13680)
* John Page AKA hyp3rlinx Apparitionsec (CVE-2017-6331)
REVISIONS
- - Minor edit on Nov 6th, 2017
- - Added details on specific SEP endpoints
- - Minor edit to adjust finder contact details
REPORTING VULNERABILITIES TO SYMANTEC
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process
document outlining the process we follow in addressing suspected
vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software
development and implements security review into various stages of the software
development process. Additionally, Symantec is committed to the security of its
products and services as well as to its customers' data. Symantec is committed
to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle
(SDLC) practice applicable to Symantec's product and service teams as well as
other software security related activities and policies used by such teams.
This document is intended as a summary and does not represent a comprehensive
list of security testing and practices conducted by Symantec in the software
development process.
Please contact secure@symantec.com if you believe you have discovered a
security issue in a Symantec product. A member of the Symantec Software
Security team will contact you regarding your submission to coordinate any
required response. Symantec strongly recommends using encrypted email for
reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
Symantec Product Vulnerability Management PGP Key
COPYRIGHT (C) BY SYMANTEC CORP.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Software Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com.
Last modified on: November 6, 2017
Security Response Blog
The State of Spam
Symantec | United States
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWgt3r4x+lLeg9Ub1AQg+5Q//b6tCHVp/DmKHuUs54qOpqlOFA7Q07uic
Vlx3+Gno/g3t82JFRgst8FFB9iuxwhDiMXBWfLn914HOuuQViDHU6EWkjjc0v02/
3K4gHFtzgGsrDVIU9l+25itjv8veUbCbbuehQvg+Yhi/lOIXboUddJDTc+v2bHdm
UnFuOliv4OODhfaNrYZcXwlVhCW6dLDtvG81F6gBNMTUTJUDmgymmWdrXkosARg5
xx+JGxFSu6dxQJC3gPtI6D4e74hgTpUGpc/AN16giAzH1GjJ3d0SpjYNXvUNX1Bx
qAdNYmuv7szjypzVY6Fp1gZCm8BtRnsRfAuLfLwKbuAg03WcjPFGZvXRoGXIxE5D
qQ9oHnSnad4EPiW+DJgFGjkPRkjeOxZ1x9nPJ3jbNHUAIwSV7p/vr4VF8DoMR3Wv
H8hkf6CB2W1z76pxsyYBAy0g+kGan9dUvvdGJOl/CcMQdO8VZtvsjHDgH7ZoQRWk
I/lhavYe0F/LWzBwlnxJb/b5fmfgXQIUQSpBVjXnSnnh8a16XQENzDWN8yV9FN1U
usULx1Wb/TgWRKxvV6i0ycCQE+JcqUpqWFWeZBKQ1I/fM9pl7zn+cxy6pvhjJISR
Cth4vjKISbSh3jUWQnXZlJuvGScdMAJXSyLz0C/fceatrhkE+/pJNt/NIaYQAXmJ
Nba5kuUiY4M=
=bL8I
-----END PGP SIGNATURE-----