Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2889 Symantec Endpoint Protection Multiple Issues 15 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Endpoint Protection Publisher: Symantec Operating System: Windows Impact/Access: Increased Privileges -- Existing Account Delete Arbitrary Files -- Existing Account Provide Misleading Information -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-13681 CVE-2017-13680 CVE-2017-6331 Original Bulletin: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20171106_00 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Multiple Issues SYM17-011 November 6, 2017 OVERVIEW Symantec has released a set of updates to address three issues in the Symantec Endpoint Protection (SEP) product. Highest severity issue: High Number of issues: 3 ISSUES This update applies to the following issues: TITLE CVE SEVERITY SEP Privilege Escalation CVE-2017-13681 High SEP Arbitrary File Deletion CVE-2017-13680 Medium SEP Tamper-Protection Bypass CVE-2017-6331 Low AFFECTED PRODUCTS Symantec has verified the issues and addressed them in product updates for SEP outlined below. Enterprise The following Symantec enterprise products are affected. PRODUCT SOLUTION Symantec Endpoint Protection prior to SEP Upgrade to Symantec Endpoint 12.1 RU6 MP9 for CVE-2017-13681 Protection SEP 12.1 RU6 MP9 Symantec Endpoint Protection prior to SEP Upgrade to Symantec Endpoint 12.1 RU6 MP9 & SEP 14 RU1 for Protection SEP 12.1 RU6 MP9 or SEP CVE-2017-13680 14 RU1 Symantec Endpoint Protection 12.1.X & prior Upgrade to Symantec Endpoint to SEP 14 RU1 for CVE-2017-6331 Protection SEP 14 RU1 ISSUE DETAILS Symantec Endpoint Protection Privilege Escalation CVE-2017-13681 BID: 101504 Severity: High (CVSSv3: 8.8) (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) Impact: Privilege escalation Exploitation: None Date patched: October 20, 2017 The Symantec Endpoint Protection Windows endpoint could be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. In the circumstances of this issue, the capability of exploit is limited by the need to perform multiple file and directory writes to the local filesystem and as such, is not feasible in a standard drive-by type attack. Symantec Endpoint Protection Arbitrary File Deletion CVE-2017-13680 BID: 101503 Severity: Medium (CVSSv3: 6.5) (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) Impact: Arbitrary File Deletion Exploitation: None Date patched: October 20, 2017 The Symantec Endpoint Protection Windows endpoint can encounter a situation whereby an attacker could use the product's UI to perform unauthorized file deletes on the resident file system. Symantec Endpoint Protection Tamper-Protection Bypass CVE-2017-6331 BID: 101502 Severity: Low (CVSSv3: 2.8) (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) Impact: Tamper-Protection Bypass Exploitation: None Date patched: October 20, 2017 The Symantec Endpoint Protection Windows endpoint can encounter an issue of Tamper-Protection Bypass, which is a type of attack that bypasses the real time protection for the application that is run on servers and clients. Tamper Protection protects Symantec processes and internal objects from these attacks that non-Symantec processes such as worms, Trojan horses, viruses, and security risks could make. Note that in this circumstance, the tamper-protection bypass only allows altering a small amount of text in one element of the UI. MITIGATION This issues listed above were validated by the product team engineers. A set of Symantec Endpoint Protection updates, versions SEP 12.1 RU6 MP9 and SEP 14 RU1, have been released which address the aforementioned issues. Please ensure you apply the necessary patches and upgrades accordingly. Symantec Endpoint Protection's latest releases are available to customers through normal support channels. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues. Note1: For customers running SEP 14, SEP 14 MP1 or SEP 14 MP2, only the low and medium severity issues articulated in the aforementioned advisory details affect the updated SEP 14 product line. The high severity issue does not impact any instances of SEP 14. Note2: The aforementioned vulnerabilities only pertain to the SEP client. The SEPM manager is not affected. ACKNOWLEDGEMENTS * Matthieu Buffet on behalf of ANSSI (CVE-2017-13681) * Clément Lavoillotte @clavoillotte (CVE-2017-13680) * John Page AKA hyp3rlinx Apparitionsec (CVE-2017-6331) REVISIONS - - Minor edit on Nov 6th, 2017 - - Added details on specific SEP endpoints - - Minor edit to adjust finder contact details REPORTING VULNERABILITIES TO SYMANTEC Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines. Symantec has developed a Software Security Vulnerability Management Process document outlining the process we follow in addressing suspected vulnerabilities in our products. Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers' data. Symantec is committed to continually improving its software security process. This document provides an overview of the current Secure Development Lifecycle (SDLC) practice applicable to Symantec's product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process. Please contact secure@symantec.com if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Software Security PGP key can be found at the following location: Symantec Product Vulnerability Management PGP Key COPYRIGHT (C) BY SYMANTEC CORP. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com. Last modified on: November 6, 2017 Security Response Blog The State of Spam Symantec | United States - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgt3r4x+lLeg9Ub1AQg+5Q//b6tCHVp/DmKHuUs54qOpqlOFA7Q07uic Vlx3+Gno/g3t82JFRgst8FFB9iuxwhDiMXBWfLn914HOuuQViDHU6EWkjjc0v02/ 3K4gHFtzgGsrDVIU9l+25itjv8veUbCbbuehQvg+Yhi/lOIXboUddJDTc+v2bHdm UnFuOliv4OODhfaNrYZcXwlVhCW6dLDtvG81F6gBNMTUTJUDmgymmWdrXkosARg5 xx+JGxFSu6dxQJC3gPtI6D4e74hgTpUGpc/AN16giAzH1GjJ3d0SpjYNXvUNX1Bx qAdNYmuv7szjypzVY6Fp1gZCm8BtRnsRfAuLfLwKbuAg03WcjPFGZvXRoGXIxE5D qQ9oHnSnad4EPiW+DJgFGjkPRkjeOxZ1x9nPJ3jbNHUAIwSV7p/vr4VF8DoMR3Wv H8hkf6CB2W1z76pxsyYBAy0g+kGan9dUvvdGJOl/CcMQdO8VZtvsjHDgH7ZoQRWk I/lhavYe0F/LWzBwlnxJb/b5fmfgXQIUQSpBVjXnSnnh8a16XQENzDWN8yV9FN1U usULx1Wb/TgWRKxvV6i0ycCQE+JcqUpqWFWeZBKQ1I/fM9pl7zn+cxy6pvhjJISR Cth4vjKISbSh3jUWQnXZlJuvGScdMAJXSyLz0C/fceatrhkE+/pJNt/NIaYQAXmJ Nba5kuUiY4M= =bL8I -----END PGP SIGNATURE-----