Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1325.3 Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Local Client Application Device Control Buffer Overflow 6 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Endpoint Protection Publisher: Symantec Operating System: Windows Impact/Access: Denial of Service -- Console/Physical Increased Privileges -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2014-3434 Original Bulletin: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00 Comment: Exploit code has been released publicly. Revision History: August 6 2014: Updating this bulletin to an Alert due to the existence of publicly available exploit code August 6 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Local Client Application Device Control Buffer Overflow SYM14-013 August 4, 2014 Revisions None Severity CVSS2 Impact Exploitability CVSS2 Vector Base Score SEP Local Client ADC Buffer Overflow- Medium 6.9 10.0 3.4 AV:L/AC:M/AU:N/C:C/I:C/A:C Overview Symantec is aware of a local access Symantec Endpoint Protection (SEP) client buffer overflow exploit that has been released publicly which could potentially cause a BSOD on the client or possibly allow unauthorized local privilege elevation on Symantec Endpoint Protection (SEP) clients. Affected Products Product Version Build Solution(s) Symantec Endpoint 12.1 All Update to 12.1 RU4 MP1b. Protection Client Follow recommended mitigation until update is installed Symantec Endpoint 11.0 All Update to 12.1 RU4 MP1b. Protection Client Follow recommended mitigation until update is installed Symantec Endpoint 12.0 All update to latest available Protection 12.0 Small build of SEP 12.1 Small Business Edition Business Edition Product Not Affected Product Version Symantec Endpoint Protection Manager All Symantec Endpoint Protection 12.1 Small All Business Edition Symantec Endpoint Protection.cloud (SEP All SBE) Symantec Network Access Control (SNAC) All Details The sysplant driver, loaded as part of the Application and Device Control (ADC) component on a SEP client, does not do sufficient validation of external input which could result in a local client BSOD denial of service or, if successfully exploited, potentially local elevation of privilege on the client system. Symantec Response Symantec product engineers verified this issue and have created an update to resolve it. Customers should use the mitigation described below until the available update can be installed to address this issue. Symantec is not aware of exploitation of or adverse customer impact from this issue. Update Information Please see TECH223338 for further information on language and build availability for Symantec Endpoint Protection update 12.1 RU4 MP1b. Mitigations If unable to apply the update immediately, SEP administrators can uninstall or disable ADC in SEP 12.1 or SEP 11.0 by following the instructions provided in KB Article, TECH223338 Symantec Security Response has released Bloodhound.Exploit.554 for this type of issue. This detection is available through normal Symantec security updates. Best Practices As part of normal best practices, Symantec strongly recommends the following: Restrict access to administrative or management systems to authorized privileged users. Restrict remote access, if required, to trusted/authorized systems only. Run under the principle of least privilege where possible to limit the impact of potential exploit. Keep all operating systems and applications current with vendor patches. Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats. Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities. Credit Symantec would like to thank CERT/CC for reporting this issue from Offensive Security to Symantec and coordinating with us. Symantec further thanks Matteo Memelli, Offensive Security for providing coordination to confirm the issues were addressed. References BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database. CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE BID Description CVE-2014-3434 BID 68946 SEP Local Client ADC Buffer Overflow Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines. Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below. Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below. Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Copyright (c) 2014 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. * Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information. Last modified on: August 4, 2014 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU+GfFxLndAQH1ShLAQLt8hAAm35XRuAak8xQhtIORfdhnW9s1Kv12Cbb uwTc+9c4U5awduumHTxNtc8aEC/lBwGTEdIqNwNa1Ji9pumcAPe2qi47dcTXZIWQ +OFDbTkcCDV7rJaekMyPk5B8njqSyiKF7EeIq0k1qdhz9lpbcLx5PbqV2KWYFgf7 MSyHCIxaZ99kzNAKRB4Y9dngpuDoxqvYs0H4qayI8rPvMGzFs9O8crFvJSNfvh9g yiauuGDoSQsvvdxtfQOK+6RS1X8AcWE5cqJRjxN/vniOcdtTFBTcZJSHP1slMiDy S0xveEoVnkISo6YpcEbmMh5qA+Zi2k9/N4jILnEiY0VMaHzi5tmjI8HA1Pg3aqii g5WYLIsPWPIMh2yZJazrltyViapMQl8qYCc2ESa4iIZPZFGKYiMOUiKRw/0U1rB1 3r5kNSGR+A0LQVU6pRBDYrXGrwCXc8la4ZwrrlcVoWPUQpus1Uz6T1p8RmH4Pavf WB7bo0MM9DGAedsEmthTqhekEM55S7T+f4OJak6909kI5mei1r1FQOk3TDc3vHVH aXMpHO0vd5WZhwV13RP1JHISn9h3nX3G/UFYP/oFXjoi5rM5hRYb9nDfESC9QKEl O5UYuWl7h0CzFeIOKuyDI6DiCXtwpG9PDWIJVQk+Hfa1iPfPRsuuB/MbTf8bC8L+ yjfAwYBHlX0= =7MOE -----END PGP SIGNATURE-----