copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2016.0031 - [Win] Symantec Endpoint Protection Manager and Client: Multiple vulnerabilities

Date: 21 March 2016

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0031
         Multiple vulnerabilities have been identified in Symantec
                  Endpoint Protection Manager and Client
                               21 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Symantec Endpoint Protection Manager
                      Symantec Endpoint Protection Client
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
Resolution:           Alternate Program
CVE Names:            CVE-2015-8154 CVE-2015-8153 CVE-2015-8152
Member content until: Wednesday, April 20 2016

Comment: Symantec advises customers not using ADC are not impacted by the 
         client issue, CVE-2015-8154. Mitigations steps are provided for 
         disabling the ADC driver or uninstalling ADC.

OVERVIEW

        Multiple vulnerabilities have been identified in Symantec Endpoint 
        Protection Manager prior to version SEP 12.1-RU6-MP4. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        CVE-2015-8152: "The management console for SEPM contained a 
        cross-site request forgery vulnerability that was the result of an 
        insufficient security check in SEPM. An authorized but 
        less-privileged user could potentially include arbitrary code in 
        authorized logging scripts. When submitted to SEPM, successful 
        execution could possibly result in the user gaining unauthorized 
        elevated access to the SEPM management console with application 
        privileges." [1]
        
        CVE-2015-8153: "There was a SQL injection found in SEPM that could 
        have allowed an authorized but less-privileged SEPM operator to 
        potentially elevate access to administrative level on the 
        application." [1]
        
        CVE-2015-8154: "The sysplant driver is loaded as part of the 
        Application and Device Control (ADC) component on a SEP client if 
        ADC is installed and enabled on the client. A previous security 
        update to this driver did not sufficiently validate or protect 
        against external input. Successfully bypassing security controls 
        could potentially result in targeted arbitrary code execution on a 
        client system with logged-on user privileges. Exploitation attempts
        of this type generally use known methods of trust exploitation 
        requiring enticing a currently authenticated user to access a 
        malicious link or open a malicious document in a context such as a 
        website or in an email." [1]


MITIGATION

        The vendor recommends users update to the latest version to address
        these issues. [1]


REFERENCES

        [1] Security Advisories Relating to Symantec Products - Symantec
            Endpoint Protection Multiple Security Issues
            https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160317_00

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVu9w8H6ZAP0PgtI9AQIlxg/9EcOsbCR/+UEQGevpJWhp2Bs9SYG7haiB
JlBjm3JkLK5Kp1gxdy2i2IyZ4GnvSvWjmxL8mONqwdhcwYcv4bnCgCk/FLElNV2m
8xWAGEW8a2JXu7FF7SL9vmr5e0AkTIZjGBiZ0cbsIEgFIiIOR70wLrQsABWRLUew
b/azBAU7N9c/Z+nY9Y9P0CMq42xdjppyTCIAg9r1nuBuGNA0CbdknAyeE6dVAEv4
6QtGl2tldKAo2HTK/oclUVn6p6K7475NLE8tPiJ5UbuDfd9dkpJjgtevVwCO4vsQ
Ku3x77rTw3S4YXakmojfIVxaFTPZa6pt4Yr6xCxTInSp8qakv5SfphcdjodzofVO
LURiH1krgzTui1++ZXI9MUn/+6Syekom9jBV+MRmfcxpqsnuJjbDOL33asyL/zOp
N1csRk9zeAetMIfVXujct8vrtqwo8v12XDX6F6/W63dgQqmk/g6Gq9fsfb9hHWh+
VNxpzWLrgycHB5loZdDZfGWJ7tKh0EleFDXOFcwZbCCsn2xAeNflBM5VUaW9AlBL
kESlkMRKoV/K4NRltmhn0mOTQri+pOdjTs2RHAWBnxKZWB0BSi06526WRQuaqA+l
W7UictjUQsva3pJv3BV3L2USfcHaG/zrv8kbbJWw6B6gxGzWJhJDrMNYBP/EOcP1
W7psQpdCGeQ=
=iQpv
-----END PGP SIGNATURE-----