Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4318
SYMSA1488-Symantec Endpoint Protection Multiple Issues
15 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Endpoint Protection
Publisher: Symantec
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18372 CVE-2019-12759 CVE-2019-12758
CVE-2019-12757 CVE-2019-12756 CVE-2018-18368
CVE-2018-18367
Original Bulletin:
http://support.symantec.com/us/en/article.SYMSA1488.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Symantec Endpoint Protection Multiple Issues
SYMSA1488
Last Updated November 14, 2019
Initial Publication Date July 30, 2019
Copy Article Title/URL
Feedback
Subscribe
o Status: Closed
o Severity: High
o CVSS Base Score: 7.8
Summary
Affected Products
+------------------------------------------------------+
|Symantec Endpoint Protection Manager (SEPM) |
+--------------+-------------------+-------------------+
|CVE |Affected Version(s)|Remediation |
+--------------+-------------------+-------------------+
|CVE-2018-18368|Prior to 14.2 RU1 |Upgrade to 14.2 RU1|
+--------------+-------------------+-------------------+
+------------------------------------------------------+
|Symantec Endpoint Protection Manager (SEPM) |
+--------------+-------------------+-------------------+
|CVE |Affected Version(s)|Remediation |
+--------------+-------------------+-------------------+
|CVE-2019-12759|Prior to 14.2 RU2 |Upgrade to 14.2 RU2|
+--------------+-------------------+-------------------+
+------------------------------------------------------+
|Symantec Endpoint Protection (SEP) |
+--------------+-------------------+-------------------+
|CVE |Affected Version(s)|Remediation |
+--------------+-------------------+-------------------+
|CVE-2019-12756| | |
| | | |
|CVE-2019-12758|Prior to 14.2 RU2 |Upgrade to 14.2 RU2|
| | | |
|CVE-2019-18372| | |
+--------------+-------------------+-------------------+
+--------------------------------------------------------------------+
|Symantec Endpoint Protection (SEP) |
+--------------+---------------------------------+-------------------+
|CVE |Affected Version(s) |Remediation |
+--------------+---------------------------------+-------------------+
|CVE-2019-12757|Prior to 14.2 RU2 & 12.1 RU6 MP10|Upgrade to 14.2 RU2|
+--------------+---------------------------------+-------------------+
+-----------------------------------------------------------------------------+
|Symantec Endpoint Protection Small Business Edition (SEP SBE) |
+--------------+------------------------------+-------------------------------+
|CVE |Affected Version(s) |Remediation |
+--------------+------------------------------+-------------------------------+
|CVE-2019-12757|Prior to 12.1 RU6 MP10d |Upgrade to 12.1 RU6 MP10d |
| |(12.1.7510.7002) |(12.1.7510.7002) |
+--------------+------------------------------+-------------------------------+
+--------------------------------------------------------------------+
|Symantec Mail Security for MS Exchange (SMSMSE) |
+--------------+-------------------+---------------------------------+
|CVE |Affected Version(s)|Remediation |
+--------------+-------------------+---------------------------------+
| | |Upgrade to 7.9.x |
| | | |
|CVE-2019-12759|Prior to 7.5.x |Or |
| | | |
| | |Apply the HF provided in the link|
+--------------+-------------------+---------------------------------+
Issues
+-----------------------------------------------------------------------------+
|CVE-2018-18368 |
+------------+----------------------------------------------------------------+
|Severity/ |Medium / 6.8 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 109439 / NVD: CVE-2018-18368 |
| | |
|Impact: |Privilege Escalation |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU1, |
| |may be susceptible to a privilege escalation vulnerability, |
|Description:|which is a type of issue whereby an attacker may attempt to |
| |compromise the software application to gain elevated access to |
| |resources that are normally protected from an application or |
| |user. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2019-12756 |
+------------+----------------------------------------------------------------+
|Severity/ |Low / 2.3 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 110785 / NVD: CVE-2019-12756 |
| | |
|Impact: |Password Protection Bypass |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP), prior to 14.2 RU2 may be |
|Description:|susceptible to a password protection bypass vulnerability |
| |whereby the secondary layer of password protection could by |
| |bypassed for individuals with local administrator rights. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2019-12757 |
+------------+----------------------------------------------------------------+
|Severity/ |High / 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 110786 / NVD: CVE-2019-12757 |
| | |
|Impact: |Privilege Escalation |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6|
| |MP10 and Symantec Endpoint Protection Small Business Edition |
| |(SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be |
|Description:|susceptible to a privilege escalation vulnerability, which is a |
| |type of issue whereby an attacker may attempt to compromise the |
| |software application to gain elevated access to resources that |
| |are normally protected from an application or user. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2019-12758 |
+------------+----------------------------------------------------------------+
|Severity/ |Low / 3.4 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 110787 / NVD: CVE-2019-12758 |
| | |
|Impact: |Unsigned Code Execution |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection, prior to 14.2 RU2, may be |
|Description:|susceptible to an unsigned code execution vulnerability, which |
| |may allow an individual to execute code without a resident |
| |proper digital signature. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2019-12759 |
+------------+----------------------------------------------------------------+
|Severity/ |High / 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 110788 / NVD: CVE-2019-12759 |
| | |
|Impact: |Privilege Escalation |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection Manager (SEPM) and Symantec Mail |
| |Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 |
| |and 7.5.x respectively, may be susceptible to a privilege |
|Description:|escalation vulnerability, which is a type of issue whereby an |
| |attacker may attempt to compromise the software application to |
| |gain elevated access to resources that are normally protected |
| |from an application or user. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2019-18372 |
+------------+----------------------------------------------------------------+
|Severity/ |Medium / 5.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 110789 / NVD: CVE-2019-18372 |
| | |
|Impact: |Privilege Escalation |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection, prior to 14.2 RU2, may be |
| |susceptible to a privilege escalation vulnerability, which is a |
|Description:|type of issue whereby an attacker may attempt to compromise the |
| |software application to gain elevated access to resources that |
| |are normally protected from an application or user. |
+------------+----------------------------------------------------------------+
Mitigation
The aforementioned issues were validated by product team engineers. The
following product updates have been made available to customers to remediate
these issues:
o SEP 14.2 RU1
o SEP 14.2 RU2
o SEPM 14.2 RU2
o SEP SBE 12.1 RU6 MP10d (12.1.7510.7002)
o SMSMSE 7.9.x (or apply the HF provided in the link )
The listed product updates are available to customers through normal support
channels. At this time, Symantec is not aware of any exploitations or adverse
customer impact from these issues.
Symantec recommends the following measures to reduce risk of attack:
o Restrict access to administrative or management systems to authorized
privileged users.
o Restrict remote access to trusted/authorized systems only.
o Run under the principle of least privilege, where possible, to limit the
impact of potential exploit.
o Keep all operating systems and applications current with vendor patches.
o Follow a multi-layered approach to security. At a minimum, run both
firewall and anti-malware applications to provide multiple points of
detection and protection for both inbound and outbound threats.
o Deploy network and host-based intrusion detection systems to monitor
network traffic for signs of anomalous or suspicious activity. This may aid
in the detection of attacks or malicious activity related to the
exploitation of latent vulnerabilities.
Acknowledgements
o CVE-2018-18367: Ilias Dimopoulos (a.k.a gweeperx )
o CVE-2019-12756: Basant Sekhani <basant.sekhani@ideastoimpacts.com> Ideas to
Impacts Innovations Pvt Ltd
o CVE-2019-12757: Matt Nelson <matt@specterops.io> of SpecterOps
o CVE-2019-12758: Peleg Hadar <peleg.hadar@safebreach.com>
o CVE-2019-12759: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2019-18372: gweeperx working with Trend Micro Zero Day Initiative
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXc4ctmaOgq3Tt24GAQgWbg//atd+NNLRJ/7KZtcdK6ddt1N0DwruR+pc
Z+ImsSn9432NTpSUK3JlIYAKbuRPI+Q3UUNec6gA+B/Ypt88sgpn2t0PHafj+aVt
e4NUUm8PZ2tXF+6P935rvkqt3z+cE1aicGA9sQ3pjTlxyIILrMO09isaH+oNLIuC
Vfd0c6yc87Qyf9vsP0dIumyLq8669qaYPIj4Sq50OccuvZl7C9ZJhcbE09LTf79u
Ai4T+Q33+qXL8ca29Xh1ENDCKIh5hJGtazkhaCbGy+empD5ntdvmjOA7KWhMz3NS
VQFyZtScIwZYH/3k+KRYRFXTRx5UWl1m40H2mYatJk5o6E6e7EP0/aOVtLZU7nLO
k52TOnJVCXaepAp+eYLGeUlMOmHF07QBq2N8DC+TGuQ2MruHSft9JdZ2/NfilXf9
z9y7fwh7y8n9r5tI5eCcs57hlZxPQCFJ3Z8pkBDqdRpzajz0WYRD18ZOEdpoK49q
VqfbPIVkwTln68VbH9uz7jSiE1rQwV/TGgA+7g5yhYZB/H0magN256JiMOW4t7rR
Si99BT0zAdChUGdBT2b+DjBHTcpOd2MasG+ViOr239l68A2mp+a8Be6vdazWTbUL
qlpv/rQVwYVDdznXKr2hbolU2Sb1cArD1uPihAMQHhH8FP4Mq27UN23FDIPDlXB8
RlmINesZgEc=
=6rj6
-----END PGP SIGNATURE-----