Symantec has released an update to address a finding in VIP Access Desktop that could allow a local user to force VIP Access Desktop UI Manager to execute an arbitrary formatted DLL with logged-on user privileges.
Symantec VIP Access Desktop
|
|
CVE-2016-6593
|
Prior to 2.2.2
|
Upgrade to 2.2.3 or later
CVE-2016-6593
Severity/CVSSv3:
|
Low / 3.9 AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
References:
Impact:
|
Securityfocus: BID 94731 / NVD: CVE-2016-6593
Code execution
Description:
|
VIP Access Desktop UI Manager invokes DLLs from the current working folder during startup. A malicious local user can create specifically modified DLLs to replace the normal product DLLs required during startup. Then, by redirecting the startup path of the VIP Access Desktop UI Manager the user can cause the VIP Access Desktop UI Manager to invoke the substituted DLL instead of the required product DLL. Any specifically modified code execution could be performed with logged-on user privileges, which is normally user-level access in currently supported operating systems. Ultimately, this problem is caused by a failure to properly validate required product DLLs during start-up. This could result in a local user being able to manipulate VIP Access Desktop to load and execute an arbitrary DLL of the user's choice with user-level privileges.
Symantec VIP Access Desktop has been updated to address this issue by implementing stricter access controls on authorized product-specific DLLs. Symantec VIP Access Desktop users should update to version 2.2.3, which is currently available for download from the VIP ID Center portal, https://idprotect.vip.symantec.com/desktop/download.v.
Best Practices
Symantec recommends the following measures to reduce risk of attack:
CPE | Name | Operator | Version |
---|---|---|---|
symantec vip access desktop | eq | 2 |