Symantec Data Center Security: Server Advanced, Multiple Security Issues on Management Server and Pr

SUMMARY

The management server for Symantec Critical System Protection (SCSP) 5.2.9 and Data Center Security: Server Advanced (SDCS:SA) 6.0.x is susceptible to security issues which could enable privileged access to the management server. Rules in the prevention policies could be bypassed if deployed to SCSP/SDCS:SA agents to restrict access to specific host functionality.

AFFECTED PRODUCTS

Product

|

Version

|

Build

|

Solution(s)

—|—|—|—

Symantec Critical System Protection Server and Agents

|

5.2.9.x

|

All

|

SCSP 5.2.9 MP6 or update to 6.0 MP1 SDCS:SA. Apply Protection Policy Modifications Described Below

Symantec Data Center Security: Server Advanced Server and Agents

|

6.0

|

All

|

Update to 6.0 MP1. Apply Protection Policy Modifications Described Below

Symantec Data Center Security: Server Advanced Server and Agents

|

6.0 MP1

|

All

|

Apply Protection Policy Modifications Described Below

ISSUES

CVSS2

Base Score

|

Impact

|

Exploitability

|

CVSS2 Vector

—|—|—|—

SCSP/SDCS:SA Management Server Agent Control Interface RCE - High

NOTE: Does NOT affect CSP 5.2.9 MP6 or DCS:SA 6.0 MP1

7.4

|

10

|

4.4

|

AV:A/AC:M/Au:S/C:C/I:C/A:C

SCSP/SDCS:SA Management Server SQL Injection - High

NOTE: Does NOT affect CSP 5.2.9 MP6 or DCS:SA 6.0 MP1

7.4

|

10

|

4.4

|

AV:A/AC:M/Au:S/C:C/I:C/A:C

SCSP/SDCS:SA Management Server Non-Persistent XSS - Low

3.8

|

4.9

|

4.4

|

AV:A/AC:M/Au:S/C:P/I:P/A:N

SCSP/SDCS:SA Management Server Information Disclosure - Low

2.7

|

2.9

|

5.1

|

AV:A/AC:L/Au:S/C:P/I:N/A:N

SCSP/SDCS:SA Agent Default Protection Policy by-pass permits access to system functionality that should be authorized access restricted - Medium

6.6

|

10

|

2.7

|

AV:L/AC:M/Au:S/C:C/I:C/A:C

CVE

|

BID

|

Description

—|—|—

CVE-2014-3440

|

BID 72091

|

SCSP/SDCS:SA Management Server Agent Control Interface RCE

CVE-2014-7289

|

BID 72092

|

SCSP/SDCS:SA Management Server SQL Injection

CVE-2014-9224

|

BID 72093

|

SCSP/SDCS:SA Management Server Non-Persistent XSS

CVE-2014-9225

|

BID 72094

|

SCSP/SDCS:SA Management Server Information Disclosure

CVE-2014-9226

|

BID 72095

|

SCSP/SDCS:SA Client Default Security Protection Policy By-pass

MITIGATION

Details

Agent Control Interface RCE - The management server agent control interface for SCSP 5.2.9 MP5 and below and SDCS:SA 6.0 does not properly validate the content of log files being uploaded from client systems for processing. This could allow unauthorized arbitrary code to be included in the log file content on a client system. When uploaded to the server, this arbitrary code could potentially be run during normal processing of the log file content on the server. If successfully exploited an attacker could potentially gain access to a command shell with elevated privileges on the server.

NOTE: SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 is not affected by this issue.

SCSP/SDCS:SA Management Server SQL Injection - SCSP 5.2.9 and SDCS:SA 6.0 is susceptible to SQL injection. An attacker who can gain access to the proper port on the management server could pass a specifically crafted HTTP request which could potentially execute arbitrary SQL commands. If successful, the attacker could possibly add themselves to the server as an administrator.

Symantec recommends always configuring out of the box prevention policy with local network information and applying it to the management server to limit access to local network or just security administrators.

NOTE: SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 is not affected by this issue.

SCSP/SDCS:SA Management Server Non-persistent XSS - The Management Console server does not properly filter user input. This makes the server potentially susceptible to non-persistent cross-site scripting issues.

Workaround/mitigation information provided below.

SCSP/SDCS:SA Management Server Information Disclosure - The management server does not properly restrict internal server information in certain instances. Successful access to this information could potentially provide reconnaissance planning data to a non-privileged, non-authorized user.

Note: In a normal installation, the SCSP or SDCS:SA Management Console should not be accessible external to the network, providing some mitigation against external threat. Attempts to exploit issues would likely come from an authorized but malicious network user. However, an external attacker could potentially leverage known methods of trust exploitations in an attempt to gain access to a client system from which to launch an attack attempt on the server. These exploitation attempts generally require enticing an authorized user to access a malicious link in a context such as a website or in an email.

Workaround/mitigation information provided below.

SCSP/SDCS:SA Agent Default Protection Policy By-pass - SCSP and SDCS:SA default protection policies are designed to restrict access to specific host functionality. The default protection policies provided do not sufficiently restrict access in some cases. An authenticated user could potentially bypass deployed protection policies gaining unauthorized access to restricted functionality on a host.

Note: SCSP/SDCS:SA Protection Policies provide another layer of restriction to further complement existing OS user authorization. Circumventing the Protection Policies does NOT provide any additional levels of access to the authenticated user other than what their authorization level would permit under normal OS security settings.

See Mitigation Section below for information on customizing protection policies to address this.

Symantec is not aware of exploitation of or adverse customer impact from this issue.

Update Information

SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 are available through Symantec File Connect.

Symantec Response and Mitigations/Workarounds

Symantec recommends customers upgrade to the latest SDCS:SA 6.0 MP1. However, if unable to upgrade immediately, there are some workarounds available to mitigate these issues related to SCSP/SDCS:SA server and agents.

SCSP/SDCS:SA Server mitigation for remote agent RCE

Symantec highly recommends upgrade to SCSP 5.2.9MP6 or SDCS:SA 6.0 MP1, however if unable to at this time:

1. If a customer has another physical drive available, edit the CSP/DCS:SA Server configuration to change the bulk log files directory so the directory resides on a different physical drive than where the CSP/DCS:SA Server is installed.
2. Install a CSP/DCS agent on the server and apply a Prevention policy

SCSP/SDCS:SA Management Console Non Persistent XSS

SCSP/SDCS:SA Management Console Information Disclosure

1. Disable the ajaxswing webui

2. Use the Java console

3. Note that ajaxswing web console will not be shipping in future releases

SCSP/SDCS:SA Agent Security Policy By-Pass Mitigation

Implement security policy configurations provided in TECH227679, <http://www.symantec.com/docs/TECH227679&gt;

Best Practices
As part of normal best practices, Symantec strongly recommends the following:

• Restrict access to administrative or management systems to authorized privileged users.
• Restrict remote access, if required, to trusted/authorized systems only.
• Run under the principle of least privilege where possible to limit the impact of potential exploit.
• Keep all operating systems and applications current with vendor patches.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

ACKNOWLEDGEMENTS

Symantec would like to thank Balint Varga-Perke with Silent Signal working through Beyond Security for reporting CVE-2014-3440 and working with Symantec as it was addressed.

Symantec would like to thank Stefan Viehbock with SEC-Consult for reporting CVE-2014-7289, CVE-2014-9224, 9225, 9226 and working with Symantec as they were addressed

REFERENCES

BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to this issue for inclusion in the Security Focus vulnerability database.

CVE: This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.