Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0472
SYMSA1505-Symantec Endpoint Protection Multiple Issues
11 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Endpoint Protection (SEP)
Symantec Endpoint Protection Small Business Edition (SEP SBE)
Publisher: Symantec
Operating System: Windows
Linux variants
Mac OS
Impact/Access: Increased Privileges -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Overwrite Arbitrary Files -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-5831 CVE-2020-5830 CVE-2020-5829
CVE-2020-5828 CVE-2020-5827 CVE-2020-5826
CVE-2020-5825 CVE-2020-5824 CVE-2020-5823
CVE-2020-5822 CVE-2020-5821 CVE-2020-5820
Original Bulletin:
http://support.symantec.com/us/en/article.SYMSA1505.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Symantec Endpoint Protection Multiple Issues
SYMSA1505
Last Updated February 10, 2020
Initial Publication Date February 03, 2020
Copy Article Title/URL
Feedback
Subscribe
o Status: Closed
o Severity: High
o CVSS Base Score: 7.8
Summary
Affected Products
+-----------------------------------------------------------------------------+
|Symantec Endpoint Protection (SEP) |
| |
|& Symantec Endpoint Protection Small Business Edition (SEP SBE) |
+-------------+------------------------------+--------------------------------+
|CVE |Affected Version(s) |Remediation |
+-------------+------------------------------+--------------------------------+
|CVE-2020-5820| | |
| | | |
|CVE-2020-5821| | |
| | | |
|CVE-2020-5822| | |
| |Prior to 14.2 RU2 MP1 |Upgrade to 14.2 RU2 MP1 |
|CVE-2020-5823|(14.2.5569.2100) |(14.2.5569.2100) |
| | | |
|CVE-2020-5824| | |
| | | |
|CVE-2020-5825| | |
| | | |
|CVE-2020-5826| | |
+-------------+------------------------------+--------------------------------+
+-----------------------------------------------------------+
|Symantec Endpoint Protection Manager (SEPM) |
+-------------+---------------------+-----------------------+
|CVE |Affected Version(s) |Remediation |
+-------------+---------------------+-----------------------+
|CVE-2020-5827| | |
| | | |
|CVE-2020-5828| | |
| | | |
|CVE-2020-5829|Prior to 14.2 RU2 MP1|Upgrade to 14.2 RU2 MP1|
| | | |
|CVE-2020-5830| | |
| | | |
|CVE-2020-5831| | |
+-------------+---------------------+-----------------------+
Issues
+-----------------------------------------------------------------------------+
|CVE-2020-5820 |
+------------+----------------------------------------------------------------+
|Severity/ |High / 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111773 / NVD: CVE-2020-5820 |
| | |
|Impact: |Privilege Escalation |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP) and Symantec Endpoint |
| |Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 |
| |MP1 and prior to 14.2.5569.2100 respectively, may be susceptible|
|Description:|to a privilege escalation vulnerability, which is a type of |
| |issue whereby an attacker may attempt to compromise the software|
| |application to gain elevated access to resources that are |
| |normally protected from an application or user. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5821 |
+------------+----------------------------------------------------------------+
|Severity/ |High / 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111771 / NVD: CVE-2020-5821 |
| | |
|Impact: |DLL Injection |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP) and Symantec Endpoint |
| |Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 |
|Description:|MP1 and prior to 14.2.5569.2100 respectively, may be susceptible|
| |to a DLL injection vulnerability, which is a type of issue |
| |whereby an individual attempts to execute their own code in |
| |place of legitimate code as a means to perform an exploit. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5822 |
+------------+----------------------------------------------------------------+
|Severity/ |High / 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111774 / NVD: CVE-2020-5822 |
| | |
|Impact: |Privilege Escalation |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP) and Symantec Endpoint |
| |Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 |
| |MP1 and prior to 14.2.5569.2100 respectively, may be susceptible|
|Description:|to a privilege escalation vulnerability, which is a type of |
| |issue whereby an attacker may attempt to compromise the software|
| |application to gain elevated access to resources that are |
| |normally protected from an application or user. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5823 |
+------------+----------------------------------------------------------------+
|Severity/ |High / 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111775 / NVD: CVE-2020-5823 |
| | |
|Impact: |Privilege Escalation |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP) and Symantec Endpoint |
| |Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 |
| |MP1 and prior to 14.2.5569.2100 respectively, may be susceptible|
|Description:|to a privilege escalation vulnerability, which is a type of |
| |issue whereby an attacker may attempt to compromise the software|
| |application to gain elevated access to resources that are |
| |normally protected from an application or user. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5824 |
+------------+----------------------------------------------------------------+
|Severity/ |Medium / 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111776 / NVD: CVE-2020-5824 |
| | |
|Impact: |Denial of Service |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP) and Symantec Endpoint |
| |Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 |
| |MP1 and prior to 14.2.5569.2100 respectively, may be susceptible|
|Description:|to a denial of service vulnerability, which is a type of issue |
| |whereby a threat actor attempts to tie up the resources of a |
| |resident application, thereby making certain functions |
| |unavailable. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5825 |
+------------+----------------------------------------------------------------+
|Severity/ |Medium / 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111778 / NVD: CVE-2020-5825 |
| | |
|Impact: |Arbitrary File Write |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP) and Symantec Endpoint |
| |Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 |
|Description:|MP1 and prior to 14.2.5569.2100 respectively, may be susceptible|
| |to an arbitrary file write vulnerability, which is a type of |
| |issue whereby an attacker is able to overwrite existing files on|
| |the resident system without proper privileges. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5826 |
+------------+----------------------------------------------------------------+
|Severity/ |Medium / 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111777 / NVD: CVE-2020-5826 |
| | |
|Impact: |Out of Bounds |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection (SEP) and Symantec Endpoint |
| |Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 |
|Description:|MP1 and prior to 14.2.5569.2100 respectively, may be susceptible|
| |to an out of bounds vulnerability, which is a type of issue that|
| |results in an existing application reading memory outside of the|
| |bounds of the memory that had been allocated to the program. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5827 |
+------------+----------------------------------------------------------------+
|Severity/ |Low / 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111781 / NVD: CVE-2020-5827 |
| | |
|Impact: |Out of Bounds |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 |
| |MP1, may be susceptible to an out of bounds vulnerability, which|
|Description:|is a type of issue that results in an existing application |
| |reading memory outside of the bounds of the memory that had been|
| |allocated to the program. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5828 |
+------------+----------------------------------------------------------------+
|Severity/ |Low / 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111782 / NVD: CVE-2020-5828 |
| | |
|Impact: |Out of Bounds |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 |
| |MP1, may be susceptible to an out of bounds vulnerability, which|
|Description:|is a type of issue that results in an existing application |
| |reading memory outside of the bounds of the memory that had been|
| |allocated to the program. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5829 |
+------------+----------------------------------------------------------------+
|Severity/ |Low / 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111785 / NVD: CVE-2020-5829 |
| | |
|Impact: |Out of Bounds |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 |
| |MP1, may be susceptible to an out of bounds vulnerability, which|
|Description:|is a type of issue that results in an existing application |
| |reading memory outside of the bounds of the memory that had been|
| |allocated to the program. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5830 |
+------------+----------------------------------------------------------------+
|Severity/ |Low / 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111786 / NVD: CVE-2020-5830 |
| | |
|Impact: |Out of Bounds |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 |
| |MP1, may be susceptible to an out of bounds vulnerability, which|
|Description:|is a type of issue that results in an existing application |
| |reading memory outside of the bounds of the memory that had been|
| |allocated to the program. |
+------------+----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
|CVE-2020-5831 |
+------------+----------------------------------------------------------------+
|Severity/ |Low / 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|CVSSv3: | |
+------------+----------------------------------------------------------------+
|References: |Security Focus: BID 111787 / NVD: CVE-2020-5831 |
| | |
|Impact: |Out of Bounds |
+------------+----------------------------------------------------------------+
| |Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 |
| |MP1, may be susceptible to an out of bounds vulnerability, which|
|Description:|is a type of issue that results in an existing application |
| |reading memory outside of the bounds of the memory that had been|
| |allocated to the program. |
+------------+----------------------------------------------------------------+
Mitigation
The following product updates have been made available to customers to
remediate these issues:
o SEP 14.2 RU2 MP1 (14.2.5569.2100)
o SEPM 14.2 RU2 MP1
o SEP SBE 14.2 RU2 MP1 (14.2.5569.2100)
Symantec recommends the following measures to reduce risk of attack:
o Restrict access to administrative or management systems to authorized
privileged users.
o Restrict remote access to trusted/authorized systems only.
o Run under the principle of least privilege, where possible, to limit the
impact of potential exploit.
o Keep all operating systems and applications current with vendor patches.
o Follow a multi-layered approach to security. At a minimum, run both
firewall and antimalware applications to provide multiple points of
detection and protection for both inbound and outbound threats.
o Deploy network and host-based intrusion detection systems to monitor
network traffic for signs of anomalous or suspicious activity. This may aid
in the detection of attacks or malicious activity related to the
exploitation of latent vulnerabilities.
Acknowledgements
o CVE-2020-5820: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2020-5821: Z0mb1E
o CVE-2020-5822: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2020-5823: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2020-5824: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2020-5825: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2020-5826: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2020-5827: Z0mb1E working with Trend Micro Zero Day Initiative
o CVE-2020-5828: KPC of Trend Micro Zero Day Initiative
o CVE-2020-5829: KPC of Trend Micro Zero Day Initiative
o CVE-2020-5830: KPC of Trend Micro Zero Day Initiative
o CVE-2020-5831: KPC of Trend Micro Zero Day Initiative
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXkIo0WaOgq3Tt24GAQiHahAA2yOy77faJJZAHq2BAWhRAZMFGeC3v0Kt
PhRdrDo5pRZHeGbPVIGkVU3q1bfDEAaTly3tk7gDDXNeC3s6XrSNJZS0y8lAknya
sPyGTrgAnyJ4fzuedsTcJ3GKZiO0KQFpNw0hpzTOv3ZQ7Ep+EF1Q3/TLqhVnR4CY
/Y/73JtPUqG1WlwUlNSUzXH1nwqFBN/wsLrjXscEu76SXLKS8oZilrrdUmnb+R0C
s7T7ri/NaIMQKULCyio+p3RjfuXY8e8gEDQf7LokpzG8CEQatyiuby0afCIQQcQe
mxaTJW3JwYUzvKFTsu45MHI8rUv3YFIQqUSG79EviUz4M2RsjHSoPP2WtJr+g3Zn
avqhqqPliGPw862/QgXTwiXdDlzzTglRgu7OhP/VxIGFDvUWO4vXzY1ocdvakSyj
yaUMX4hT1Yf2jrr9+8NPqKTZ6FM4vuC+mcPFFJKHXu+do4nfkq0bkb6edI7PEAbC
ZzkzjtdH8jGGsI3cpDoIZ69KA9ilqR12rSLhGE4Q7/KkWLTGL0Cfj+527xLsrOES
K/+fBJNkFUjhNnsgKvOR6CsG0kTG5atFLUII4lEHZ3j7PnO9tIr0rWtgQSoPPNVH
7B3W4SI3QW0ksf2KOt8yhZzxSGIp821BgVN855VG4CKpxOz4S1bfWirHZ+YEYL88
YXUPo/rVp6k=
=qQlo
-----END PGP SIGNATURE-----