CERTVU:252068Symantec Endpoint Protection Client contains a kernel pool overflow vulnerability
6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
37.0%
Overview
Symantec Endpoint Protection Client 11.x and 12.x contains a kernel pool overflow vulnerability.
Description
CWE-788: Access of Memory Location After End of Buffer
An attacker logged into a Windows XP, Vista, 7, or 8 system as an unprivileged user is able to cause a kernel pool overflow in the sysplant driver with specially crafted IOCTL code. The sysplant driver is part of the Application and Device Control functionality in Symantec Endpoint Protection (SEP) client 11.x and 12.x. This feature is enabled by default in SEP client 11.x and 12.x.
Impact
An attacker with user credentials may be able to elevate privileges to SYSTEM and gain full control of the system.
Solution
Apply an Update
Symantec has posted an advisory for this vulnerability** **here. A patch is now available, the new version is SEP 12.1.4112.4156.
If the patch is unavailable or cannot be installed, consider the following workaround:
Disable the Vulnerable Driver
By default, SEP has Application and Device Control enabled and loads the sysplant driver. Disabling the driver will prevent an attack from being successful, although it will marginally reduce the effectiveness of SEP. Note that the sysplant driver is still loaded if Application and Device Control is disabled either through the SEP client or via policy from the Symantec Endpoint Manager. Disabling the driver via a registry edit and rebooting the system will force it to unload the sysplant driver.
Follow these instructions on Symantec’s site to disable the sysplant driver. The sysguard driver does not need to be disabled to mitigate this vulnerability.
Vendor Information
252068
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Symantec Affected
Notified: July 22, 2014 Updated: August 01, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C |
| Temporal | 6.1 | E:F/RL:W/RC:C |
| Environmental | 4.6 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
References
- http://www.symantec.com/business/support/index?page=content&id=TECH103259
- <http://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory>
- [ http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00](< http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00>)
- <http://cwe.mitre.org/data/definitions/788.html>
Acknowledgements
Thanks to Matteo Memelli for reporting this vulnerability.
This document was written by Chris King.
Other Information
| CVE IDs: | CVE-2014-3434 |
|---|---|
| Date Public: | 2014-08-04 Date First Published: |
References
www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00
cwe.mitre.org/data/definitions/788.html
www.symantec.com/business/support/index?page=content&id=TECH103259
www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory
Related
6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
37.0%