Symantec Endpoint Protection Multiple Issues

SUMMARY

Specific versions of the Symantec Endpoint Protection Management Console in Symantec Endpoint Protection 11.x and Symantec Network Access Control 11.x are susceptible to a potential local access elevation of privilege.

The Management Console in Symantec Endpoint Protection 12.1 is susceptible to remote access directory traversal/file deletion through a vulnerable service. A follow-on attack based on the success of the file deletion allows for a file insertion/code execution potentially resulting in unauthorized privilege escalation.

AFFECTED PRODUCTS

Local Access Elevation of Privilege

Product

|

Version

|

Build

|

Solution(s)

—|—|—|—

Symantec Endpoint Protection(Management Console)

|

11.0 RU6(11.0.600x)

11.0 RU6-MP1(11.0.6100)

11.0 RU6-MP2(11.0.6200)

11.0 RU6-MP3(11.0.6300)

11.0 RU7(11.0.700x)

11.0 RU7-MP1(11.0.710x)

|

All

|

SEP 11 RU7 MP2 or later
(Management Console)

Symantec Network Access Control(Management Console)

|

11.0 RU6(11.0.600x)

11.0 RU6-MP1(11.0.6100)

11.0 RU6-MP2(11.0.6200)

11.0 RU6-MP3(11.0.6300)

11.0 RU7(11.0.700x)

11.0 RU7-MP1(11.0.710x)

|

All

|

SNAC 11 RU7 MP2 or later
(Management Console)

NOTE: Symantec Endpoint Protection 12.1.x is NOT impacted by this issue

Remote Access Directory Traversal/File Deletion and Elevation of Privilege

Product

|

Version

|

Build

|

Solution(s)

—|—|—|—

Symantec Endpoint Protection Manager

|

12.1 (12.1.671)
12.1 RU1 (12.1.1000)

|

All

|

SEP 12.1 RU1 MP1

** NOTE:** Only Symantec Endpoint Protection 12.1.x is impacted by these issues

ISSUES

CVSS2

Base Score

|

Impact

|

Exploitability

|

CVSS2 Vector

—|—|—|—

File Include/Remote Access elevation of Privilege - Medium

6.82

|

6.44

|

8.58

|

AV:N/AC:M/Au:N/C:P/I:P/A:P

Directory Traversal File Deletion - Medium

4

|

4.9

|

4.9

|

AV:A/AC:L/Au:N/C:C/I:C/A:N

Local Access Elevation of Privilege - Low

3.2

|

4.9

|

3.1

|

AV:N/AC:H/Au:N/C:N/I:P/A:P

BID 51795 for the local access elevation of privilege issue

BID 53182 for the directory traversal/file deletion issue

BID 53183 for the file include/remote elevation of privilege issue

CVE-2012-0289 for the local access elevation of privilege issue.

CVE-2012-0294 for the directory traversal/file deletion issue

CVE-2012-0295 for the file include/remote access elevation of privilege issue

Exploit Publicly Available:

Yes for CVE-2012-0289, Local Access Elevation of Privilege.

MITIGATION

Details

Symantec was notified of a vulnerable service running on the Symantec Endpoint Protection 12.1 Manager. Successful access to this service can potentially allow an unauthorized remote attacker to launch a two-stage exploit attempt against the targeted server.

In the first stage, an attacker gains access to and manipulates the vulnerable Manager service resulting in directory traversal and file deletion activity to remove specific files. A successful attempt could result in loss of Manager console functionality even if the second stage of the attack is unsuccessful.

A successful initial exploit attempt sets up the second stage. Leveraging the initial file removal, allows an attacker to potentially insert and execute arbitrary code resulting in unauthorized access in the context of the targeted application which is System.

In a recommended installation, the Symantec Endpoint Protection Manager should be hosted behind the corporate firewall with restricted external access. If necessary to deploy the Manager outside the corporate network, Symantec strongly recommends configuring client/server communication only and blocking all access to the management console.

An unauthorized attacker, able to leverage network access or entice an authorized network user to download malicious content or visit a malicious site, could still attempt an attack against the Manager interface.

Symantec was also notified of a local access elevation of privilege arbitrary code execution in specific versions of Symantec Endpoint Protection Management Console and Symantec Network Access Control Management Console 11.x. The arbitrary code execution is caused by inadequate boundary and error checking within one of the code functions.

To successfully exploit this issue, the attacker must have access to an authorized but unprivileged account on the local server that hosts either Symantec Network Access Control or Symantec Endpoint Protection 11.x management consoles. It is then possible for this user to potentially execute a maliciously formatted script resulting in a buffer overflow within a specific function used in both Symantec Network Access Control and Symantec Endpoint Protection. Successfully targeting this function could potentially allow an unprivileged user to elevate their access on the targeted system.

Symantec Response
Symantec product engineers verified the reported issues and resolved these issues in the Symantec Endpoint Protection releases identified above.

Update Information

Updates are available through customers' normal support/download locations.

Best Practices
As part of normal best practices, Symantec strongly recommends:

• Restrict access to administration or management systems to privileged users.
• Restrict remote access, if required, to trusted/authorized systems only.
• Run under the principle of least privilege where possible to limit the impact of exploit by threats.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

ACKNOWLEDGEMENTS

Symantec credits Anil Aphale, aka 41.w4r10r, with ControlCase India Pvt Ltd for the local access elevation of privilege issue reported in Symantec Endpoint Protection and Symantec Network Access Control 11.x.

Symantec credits Andrea Micalizzi. aka rgod, working through TippingPoint's ZeroDay Initiative for the directory traversal/file deletion and the file include/remote elevation of privilege multi-stage attack reported in Symantec Endpoint Protection Manager 12.1.

REFERENCES

Security Focus, http://www.securityfocus.com, has assigned the following Bugtraq IDs (BIDs) to this issue for inclusion in the Security Focus vulnerability database.

These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org). The CVE initiative has assigned

REVISION

5/23/2012 Proof-of-Concept information released publicly for CVE-2012-0289. Clarification on affected product component and versions.