Symantec Encryption Management Server Multiple Security Issues

SUMMARY

The management console for Symantec Encryption Management Server (SEMS) is susceptible to potential OS command execution, local access elevation of privilege, a heap-based memory corruption resulting in a service crash and potential information disclosure of management console logon/account information.

AFFECTED PRODUCTS

Product

|

Version

|

Build

|

Solution(s)

—|—|—|—

Symantec Encryption Management Server

|

3.3.2 Prior to MP12

|

All

|

Update to SEMS 3.3.2 MP12

ISSUES

CVE

|

BID

|

Description

—|—|—

CVE-2015-8151

|

BID 83268

|

SEMS OS Remote Command Execution

CVE-2015-8150

|

BID 83269

|

SEMS Local Elevation of Privilege

CVE-2015-8149

|

BID 83270

|

SEMS Heap-based Memory Corruption LDAP Service Crash

CVE-2015-8148

|

BID 83271

|

SEMS Information Disclosure via LDAP Service

CVSS2 Base Score

|

Impact

|

Exploitability

|

CVSS2 Vector

—|—|—|—

SEMS OS Remote Command Execution - Medium

5.8

|

6.4

|

6.4

|

AV:N/AC:L/Au:M/C:P/I:P/A:P

SEMS Local Elevation of Privilege - Medium

6.3

|

10

|

2.2

|

AV:L/AC:M/Au:M/C:C/I:C/A:C

SEMS Heap-based Memory Corruption LDAP Service Crash - Medium

5.0

|

2.9

|

10

|

AV:N/AC:L/Au:N/C:N/I:N/A:P

SEMS Information Disclosure via LDAP Service - Medium

6.4

|

4.9

|

10

|

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org/cve), which standardizes identifiers for security problems.

BID: Symantec SecurityFocus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database.

MITIGATION

Symantec Encryption Management Server's web administration interface was susceptible to command execution on the underlying operating system when an authorized but less-privileged administrator has console access. Input fields available through the server console did not properly filter arbitrary user input which could allow OS command execution with elevated privileges.

By leveraging the successful exploitation above, an unauthorized user could have scheduled arbitrary commands to run through existing batch files on the underlying operating system that normally run with root privileges. This could have resulted in additional privileged access to the server.

The LDAP service provided by Symantec Encryption Management Server was susceptible to heap memory corruption. Specially-crafted request packets could result in corrupted memory block headers leading to a SIGSEGV fault and service halt.

By successfully manipulating an LDAP request, it was possible for a user able to access the LDAP server to gather information on valid administrator accounts on the server. This information could potentially be used for further attempts to gain unauthorized access to the server or network.

Symantec Response

Symantec product engineers have addressed these issues in Symantec Encryption Management Server 3.3.2 MP12. Customers should update to SEMS 3.3.2 MP12 as soon as possible to address these issues.

Symantec is not aware of exploitation of or adverse customer impact from this issue.

Update Information

Symantec Encryption Management Server 3.3.2 MP12 is available from Symantec File Connect.

Best Practices

As part of normal best practices, Symantec strongly recommends the following:

• Restrict access to administrative or management systems to authorized privileged users.

• Restrict remote access, if required, to trusted/authorized systems only.

• Run under the principle of least privilege where possible to limit the impact of potential exploit.

• Keep all operating systems and applications current with vendor patches.

• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.

• Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

ACKNOWLEDGEMENTS

Symantec would like to thank Toby Reynolds and Rory McNamara with Gotham Digital Science for reporting CVE-2015-8149, 8150, 8151 and working very closely with Symantec as they were addressed. Symantec would also like to thank Harald Buck, Buck IT Consulting, for reporting CVE-2015-8148 and coordinating closely with Symantec as it was addressed.