copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2015.2062 - ALERT [Win] Symantec Endpoint Protection Manager: Multiple vulnerabilities

Date: 11 August 2015
References: ESB-2015.2792  ESB-2016.0155  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2062
        SYM15-007 Security Advisories Relating to Symantec Products
              - Symantec Endpoint Protection Multiple Issues
                              11 August 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec Endpoint Protection Manager
Publisher:         Symantec
Operating System:  Windows
Impact/Access:     Administrator Compromise        -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Existing Account      
                   Access Privileged Data          -- Existing Account      
                   Create Arbitrary Files          -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1492 CVE-2015-1491 CVE-2015-1490
                   CVE-2015-1489 CVE-2015-1488 CVE-2015-1487
                   CVE-2015-1486  

Original Bulletin: 
   https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150730_00

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories Relating to Symantec Products - Symantec Endpoint 
Protection Multiple Issues

SYM15-007

July 30, 2015

Revisions

08/03/2015 Added note that proof-of-concept code has been released publicly.

Mitigation for Client Binary Planting was removed due to inadvertent side 
effects. Customers that previously implemented that mitigation should recreate
an empty SmcLU directory in the original location (for example, C:\Program 
Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\SmcLu).

Severity

CVSS2 Base Score	Impact		Exploitability		CVSS2 Vector

SEPM Authentication Bypass - High

7.5			6.4		10			AV:N/AC:L/Au:N/C:P/I:P/A:P

SEPM Arbitrary File Write - Medium

5.5			4.9		8.0			AV:N/AC:L/Au:S/C:N/I:P/A:P

SEPM Arbitrary File Read -Medium

4.0			2.9		8.0			AV:N/AC:L/Au:S/C:P/I:N/A:N

SEPM Privilege Escalation - High

8.5			10		6.8			AV:N/AC:M/Au:S/C:C/I:C/A:C

SEPM SQL Injection - Medium

6.0			6.4		6.8			AV:N/AC:M/Au:S/C:P/I:P/A:P

SEPM Path Traversal - Medium

5.5			4.9		8.0			AV:N/AC:L/Au:S/C:N/I:P/A:P

SEP Client Binary Planting - High

8.5			10		6.8			AV:N/AC:M/Au:S/C:C/I:C/A:C

NOTE: Proof of concept code has been publicly released

Overview

The management console for Symantec Endpoint Protection Manager (SEPM) is 
susceptible to multiple vulnerabilities including SQL Injection, 
authentication bypass, possible path traversal and the potential for arbitrary
file read/write. SEP clients are susceptible to a binary planting 
vulnerability that could result in arbitrary code running with system 
privileges on a client.

Affected Products

Product					Version		Build	Solution(s)

Symantec Endpoint Protection Manager	12.1		All	Update to 12.1-RU6-MP1

Symantec Endpoint Protection Clients	12.1		All	Update to 12.1-RU6-MP1

Details

The management console for Symantec Endpoint Protection Manager (SEPM) is 
susceptible to manipulation of the password reset functionality to potentially
generate a new administrative session being created and assigned to the 
requestor. The new session can be used to bypass proper authentication to 
access the server.

An arbitrary file write vulnerability exists due to improper file name 
validation in a console session that could allow an authorized SEPM user to 
write arbitrary files in the context of the corresponding user. There is also
an arbitrary file read vulnerability due to improper validation in one of the
action handlers. This could allow an authenticated user to read arbitrary 
files they may not have been authorized access to. Further, by leveraging the
file write vulnerability, an authorized but less-privileged user could 
potentially manipulate SEPM services to launch arbitrary code with 
administrator privileges to further elevate their normal privileges.

SEPM does not properly validate/sanitize SQL input. This could enable an 
authorized but less-privileged user to potentially run an unauthorized 
arbitrary SQL query against the backend database. This would include Limited 
Administrators as implemented in Symantec Endpoint Protection Manager. This 
could possibly allow access to or manipulation of data resulting in potential
unauthorized access to restricted server-side data and possible ability to 
leverage additional console management functionality.

Also identified was the potential for a path traversal issue during the 
importing of a client installation package to SEPM. The package is not 
sufficiently validated/sanitized during the process. A malicious individual 
could potentially submit a specifically configured package containing a 
relative path of their creation in an attempt to access files and/or 
directories external to the authorized install folder.

SEP clients are susceptible to a potential binary attack/dll preloading issue
resulting from not properly restrict the loading of external libraries. An 
authorized but malicious user with access to a system could potentially insert
a specifically-crafted library into a client install package. Successful 
exploitation could allow unauthorized arbitrary code to be executed with 
system privileges.

In a recommended installation, the Symantec Endpoint Protection Manager server
should never be accessible external to the network which still allows internal
attack attempts from malicious less-privileged users but should restrict 
external attack attempts. However, a malicious, non-authorized individual 
could leverage known methods of trust exploitations to compromise a client 
user in an attempt to gain network/system access. These exploitation attempts
generally require enticing a previously authenticated user to access a 
malicious link in a context such as a web link or in an HTTP email.

Symantec Response

Symantec product engineers verified these issues. SEPM 12.1-RU6-MP1 contains 
updates that address these issues. Customers should implement the mitigations
described below until the available update can be installed to address these 
issues. Symantec is not aware of exploitation of or adverse customer impact 
from this issue.

Update Information

Symantec Endpoint Protection Manager 12.1-RU6-MP1 is available from Symantec 
File Connect.

Mitigations

For SEPM Authentication Bypass - High:

Customers that cannot immediately upgrade their SEPM to RU6 MP1 can mitigate 
the issue by manually disabling the option for SEPM administrators to reset 
their passwords.

To disable password resets:

In the Symantec Endpoint Protection Manager console, click Admin

In the Admin page, under Tasks, click Servers

In the Admin page, under view, expand Local Site (Site site name) or expand 
Remote Site

Select the site whose properties you want to edit

In the Admin page, under Tasks, click Edit Site Properties

Select the Passwords tab

Uncheck the selection for "Allow administrators to reset the passwords"

Click OK

Note: This will need to be configured for each site in the environment.

Symantec will be releasing the following IPS signatures to detect/prevent 
attempts against some of these issues in SEPM. These detections will be 
available through normal Symantec security update channels.

28651 (Web Attack: SEPM SQL Injection)

28650 (Web Attack: SEPM Directory Traversal)

28649 (Web Attack: SEPM unauthenticated password reset)

Best Practices

As part of normal best practices, Symantec strongly recommends the following:

Restrict access to administrative or management systems to authorized 
privileged users.

Restrict remote access, if required, to trusted/authorized systems only.

Run under the principle of least privilege where possible to limit the impact
of potential exploit.

Keep all operating systems and applications current with vendor patches.

Follow a multi-layered approach to security. At a minimum, run both firewall 
and anti-malware applications to provide multiple points of detection and 
protection to both inbound and outbound threats.

Deploy network- and host-based intrusion detection systems to monitor network
traffic for signs of anomalous or suspicious activity. This may aid in the 
detection of attacks or malicious activity related to the exploitation of 
latent vulnerabilities.

Credit

Symantec would like to thank Markus Wulftange of Code White 
(http://www.code-white.com), for reporting these issues and working very 
closely with Symantec as they were addressed.

References

CVE: These issues are candidates for inclusion in the CVE list 
(http://cve.mitre.org/cve), which standardizes identifiers for security 
problems.

BID: Symantec SecurityFocus, http://www.securityfocus.com, has assigned 
Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus 
vulnerability database.

CVE

BID

Description

CVE-2015-1486

BID 76074

SEPM Authentication Bypass

CVE-2015-1487

BID 76094

SEPM Arbitrary File Write

CVE-2015-1488

BID 76077

SEPM Arbitrary File Read

CVE-2015-1489

BID 76078

SEPM Privilege Escalation

CVE-2015-1490

BID 76081

SEPM Path Traversal

CVE-2015-1491

BID 76079

SEPM SQL Injection

CVE-2015-1492

BID 76083

SEP Client Binary Planting

Symantec takes the security and proper functionality of our products very 
seriously. As founding members of the Organization for Internet Safety 
(OISafety), Symantec supports and follows responsible disclosure guidelines.

Please contact secure@symantec.com if you feel you have discovered a security
issue in a Symantec product. A member of the Symantec Product Security team 
will contact you regarding your submission to coordinate any required 
response. Symantec strongly recommends using encrypted email for reporting 
vulnerability information to secure@symantec.com. The Symantec Product 
Security PGP key can be found at the location below.

Symantec has developed a Product Vulnerability Response document outlining the
process we follow in addressing suspected vulnerabilities in our products. 
This document is available below.

Symantec Vulnerability Response Policy

 Symantec Product Vulnerability Management PGP Key Symantec Product 
Vulnerability Management PGP Key

Copyright (c) 2015 by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Product Security. 
Reprinting the whole or part of this alert in any medium other than 
electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Product Security, and 
secure@symantec.com are registered trademarks of Symantec Corp. and/or 
affiliated companies in the United States and other countries. All other 
registered and unregistered trademarks represented in this document are the 
sole property of their respective companies/owners.

* Signature names may have been updated to comply with an updated IPS 
Signature naming convention. See 
http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST
for more information.

Last modified on: July 30, 2015

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVcmCP36ZAP0PgtI9AQJb3BAAlO3R4QGEvp9YROWUecfderoLhdrgGm4c
+VhKRdBvoBL5cU0KQ8huK3hMZseLHr/DQVgjpCcYQ9MAJNNdRa1WYN9u3GOOsVEa
4cAvp9/DtmvO3CkWPrBHoNyQu3WZJlWmJOytN0I/0bufPLsBTHpCFz5Zk+VAtN17
zOXMpkpV9Hayqve6RFm0EmtLu7t6KJilR20kFFjZ2+MkOxPNKFdOT9bJEZjqX4j3
Z3h/uZ90vaNDHH27nZpFM9TY7L+rCc+bCuxJZnAn0u4xpq2oO3Gum69Qgh+8pnE3
QNGTL8GtW79MoGYAPeaBxrmIVUnesejiynkokuYs6rzXzMBAqxE68yUR4mW9DhS+
Wv1h9HkljHNcUmZc9MifeA5PaHrLGkOycWXdoe9Zmh9PjSlsaTt8hkaBMeiqlwyq
leY/FiTknv2zugMn28ZBUjyLRajjXb87YSpB1FCwCcjF+8K6vYnKSVkTxaBAKu/A
fkKVoyBsOIXhLv8RYBG6zjpJlmMXiQeNqTLPbVOa9lkaUOPaycGR8cJIma4Sfvp0
QraRpS5vkfNn5+90Yfj29dWEg2a1M2vY+oftBc10TlqyyBljfpNghBufQUvA/kfE
d0H81oRSPUszT9PPD+fX91xhCAeN6MMDsboHd8qkpsNmLyflbqdhPUfi+iqJwCy/
jaxp2r15vh8=
=yj2x
-----END PGP SIGNATURE-----