Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2062 SYM15-007 Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Multiple Issues 11 August 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Endpoint Protection Manager Publisher: Symantec Operating System: Windows Impact/Access: Administrator Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Existing Account Create Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-1492 CVE-2015-1491 CVE-2015-1490 CVE-2015-1489 CVE-2015-1488 CVE-2015-1487 CVE-2015-1486 Original Bulletin: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150730_00 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Advisories Relating to Symantec Products - Symantec Endpoint Protection Multiple Issues SYM15-007 July 30, 2015 Revisions 08/03/2015 Added note that proof-of-concept code has been released publicly. Mitigation for Client Binary Planting was removed due to inadvertent side effects. Customers that previously implemented that mitigation should recreate an empty SmcLU directory in the original location (for example, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\SmcLu). Severity CVSS2 Base Score Impact Exploitability CVSS2 Vector SEPM Authentication Bypass - High 7.5 6.4 10 AV:N/AC:L/Au:N/C:P/I:P/A:P SEPM Arbitrary File Write - Medium 5.5 4.9 8.0 AV:N/AC:L/Au:S/C:N/I:P/A:P SEPM Arbitrary File Read -Medium 4.0 2.9 8.0 AV:N/AC:L/Au:S/C:P/I:N/A:N SEPM Privilege Escalation - High 8.5 10 6.8 AV:N/AC:M/Au:S/C:C/I:C/A:C SEPM SQL Injection - Medium 6.0 6.4 6.8 AV:N/AC:M/Au:S/C:P/I:P/A:P SEPM Path Traversal - Medium 5.5 4.9 8.0 AV:N/AC:L/Au:S/C:N/I:P/A:P SEP Client Binary Planting - High 8.5 10 6.8 AV:N/AC:M/Au:S/C:C/I:C/A:C NOTE: Proof of concept code has been publicly released Overview The management console for Symantec Endpoint Protection Manager (SEPM) is susceptible to multiple vulnerabilities including SQL Injection, authentication bypass, possible path traversal and the potential for arbitrary file read/write. SEP clients are susceptible to a binary planting vulnerability that could result in arbitrary code running with system privileges on a client. Affected Products Product Version Build Solution(s) Symantec Endpoint Protection Manager 12.1 All Update to 12.1-RU6-MP1 Symantec Endpoint Protection Clients 12.1 All Update to 12.1-RU6-MP1 Details The management console for Symantec Endpoint Protection Manager (SEPM) is susceptible to manipulation of the password reset functionality to potentially generate a new administrative session being created and assigned to the requestor. The new session can be used to bypass proper authentication to access the server. An arbitrary file write vulnerability exists due to improper file name validation in a console session that could allow an authorized SEPM user to write arbitrary files in the context of the corresponding user. There is also an arbitrary file read vulnerability due to improper validation in one of the action handlers. This could allow an authenticated user to read arbitrary files they may not have been authorized access to. Further, by leveraging the file write vulnerability, an authorized but less-privileged user could potentially manipulate SEPM services to launch arbitrary code with administrator privileges to further elevate their normal privileges. SEPM does not properly validate/sanitize SQL input. This could enable an authorized but less-privileged user to potentially run an unauthorized arbitrary SQL query against the backend database. This would include Limited Administrators as implemented in Symantec Endpoint Protection Manager. This could possibly allow access to or manipulation of data resulting in potential unauthorized access to restricted server-side data and possible ability to leverage additional console management functionality. Also identified was the potential for a path traversal issue during the importing of a client installation package to SEPM. The package is not sufficiently validated/sanitized during the process. A malicious individual could potentially submit a specifically configured package containing a relative path of their creation in an attempt to access files and/or directories external to the authorized install folder. SEP clients are susceptible to a potential binary attack/dll preloading issue resulting from not properly restrict the loading of external libraries. An authorized but malicious user with access to a system could potentially insert a specifically-crafted library into a client install package. Successful exploitation could allow unauthorized arbitrary code to be executed with system privileges. In a recommended installation, the Symantec Endpoint Protection Manager server should never be accessible external to the network which still allows internal attack attempts from malicious less-privileged users but should restrict external attack attempts. However, a malicious, non-authorized individual could leverage known methods of trust exploitations to compromise a client user in an attempt to gain network/system access. These exploitation attempts generally require enticing a previously authenticated user to access a malicious link in a context such as a web link or in an HTTP email. Symantec Response Symantec product engineers verified these issues. SEPM 12.1-RU6-MP1 contains updates that address these issues. Customers should implement the mitigations described below until the available update can be installed to address these issues. Symantec is not aware of exploitation of or adverse customer impact from this issue. Update Information Symantec Endpoint Protection Manager 12.1-RU6-MP1 is available from Symantec File Connect. Mitigations For SEPM Authentication Bypass - High: Customers that cannot immediately upgrade their SEPM to RU6 MP1 can mitigate the issue by manually disabling the option for SEPM administrators to reset their passwords. To disable password resets: In the Symantec Endpoint Protection Manager console, click Admin In the Admin page, under Tasks, click Servers In the Admin page, under view, expand Local Site (Site site name) or expand Remote Site Select the site whose properties you want to edit In the Admin page, under Tasks, click Edit Site Properties Select the Passwords tab Uncheck the selection for "Allow administrators to reset the passwords" Click OK Note: This will need to be configured for each site in the environment. Symantec will be releasing the following IPS signatures to detect/prevent attempts against some of these issues in SEPM. These detections will be available through normal Symantec security update channels. 28651 (Web Attack: SEPM SQL Injection) 28650 (Web Attack: SEPM Directory Traversal) 28649 (Web Attack: SEPM unauthenticated password reset) Best Practices As part of normal best practices, Symantec strongly recommends the following: Restrict access to administrative or management systems to authorized privileged users. Restrict remote access, if required, to trusted/authorized systems only. Run under the principle of least privilege where possible to limit the impact of potential exploit. Keep all operating systems and applications current with vendor patches. Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats. Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities. Credit Symantec would like to thank Markus Wulftange of Code White (http://www.code-white.com), for reporting these issues and working very closely with Symantec as they were addressed. References CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org/cve), which standardizes identifiers for security problems. BID: Symantec SecurityFocus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database. CVE BID Description CVE-2015-1486 BID 76074 SEPM Authentication Bypass CVE-2015-1487 BID 76094 SEPM Arbitrary File Write CVE-2015-1488 BID 76077 SEPM Arbitrary File Read CVE-2015-1489 BID 76078 SEPM Privilege Escalation CVE-2015-1490 BID 76081 SEPM Path Traversal CVE-2015-1491 BID 76079 SEPM SQL Injection CVE-2015-1492 BID 76083 SEP Client Binary Planting Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines. Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below. Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below. Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key Copyright (c) 2015 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. * Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information. Last modified on: July 30, 2015 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVcmCP36ZAP0PgtI9AQJb3BAAlO3R4QGEvp9YROWUecfderoLhdrgGm4c +VhKRdBvoBL5cU0KQ8huK3hMZseLHr/DQVgjpCcYQ9MAJNNdRa1WYN9u3GOOsVEa 4cAvp9/DtmvO3CkWPrBHoNyQu3WZJlWmJOytN0I/0bufPLsBTHpCFz5Zk+VAtN17 zOXMpkpV9Hayqve6RFm0EmtLu7t6KJilR20kFFjZ2+MkOxPNKFdOT9bJEZjqX4j3 Z3h/uZ90vaNDHH27nZpFM9TY7L+rCc+bCuxJZnAn0u4xpq2oO3Gum69Qgh+8pnE3 QNGTL8GtW79MoGYAPeaBxrmIVUnesejiynkokuYs6rzXzMBAqxE68yUR4mW9DhS+ Wv1h9HkljHNcUmZc9MifeA5PaHrLGkOycWXdoe9Zmh9PjSlsaTt8hkaBMeiqlwyq leY/FiTknv2zugMn28ZBUjyLRajjXb87YSpB1FCwCcjF+8K6vYnKSVkTxaBAKu/A fkKVoyBsOIXhLv8RYBG6zjpJlmMXiQeNqTLPbVOa9lkaUOPaycGR8cJIma4Sfvp0 QraRpS5vkfNn5+90Yfj29dWEg2a1M2vY+oftBc10TlqyyBljfpNghBufQUvA/kfE d0H81oRSPUszT9PPD+fX91xhCAeN6MMDsboHd8qkpsNmLyflbqdhPUfi+iqJwCy/ jaxp2r15vh8= =yj2x -----END PGP SIGNATURE-----