Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2062
SYM15-007 Security Advisories Relating to Symantec Products
- Symantec Endpoint Protection Multiple Issues
11 August 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Endpoint Protection Manager
Publisher: Symantec
Operating System: Windows
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Create Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-1492 CVE-2015-1491 CVE-2015-1490
CVE-2015-1489 CVE-2015-1488 CVE-2015-1487
CVE-2015-1486
Original Bulletin:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150730_00
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisories Relating to Symantec Products - Symantec Endpoint
Protection Multiple Issues
SYM15-007
July 30, 2015
Revisions
08/03/2015 Added note that proof-of-concept code has been released publicly.
Mitigation for Client Binary Planting was removed due to inadvertent side
effects. Customers that previously implemented that mitigation should recreate
an empty SmcLU directory in the original location (for example, C:\Program
Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\SmcLu).
Severity
CVSS2 Base Score Impact Exploitability CVSS2 Vector
SEPM Authentication Bypass - High
7.5 6.4 10 AV:N/AC:L/Au:N/C:P/I:P/A:P
SEPM Arbitrary File Write - Medium
5.5 4.9 8.0 AV:N/AC:L/Au:S/C:N/I:P/A:P
SEPM Arbitrary File Read -Medium
4.0 2.9 8.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
SEPM Privilege Escalation - High
8.5 10 6.8 AV:N/AC:M/Au:S/C:C/I:C/A:C
SEPM SQL Injection - Medium
6.0 6.4 6.8 AV:N/AC:M/Au:S/C:P/I:P/A:P
SEPM Path Traversal - Medium
5.5 4.9 8.0 AV:N/AC:L/Au:S/C:N/I:P/A:P
SEP Client Binary Planting - High
8.5 10 6.8 AV:N/AC:M/Au:S/C:C/I:C/A:C
NOTE: Proof of concept code has been publicly released
Overview
The management console for Symantec Endpoint Protection Manager (SEPM) is
susceptible to multiple vulnerabilities including SQL Injection,
authentication bypass, possible path traversal and the potential for arbitrary
file read/write. SEP clients are susceptible to a binary planting
vulnerability that could result in arbitrary code running with system
privileges on a client.
Affected Products
Product Version Build Solution(s)
Symantec Endpoint Protection Manager 12.1 All Update to 12.1-RU6-MP1
Symantec Endpoint Protection Clients 12.1 All Update to 12.1-RU6-MP1
Details
The management console for Symantec Endpoint Protection Manager (SEPM) is
susceptible to manipulation of the password reset functionality to potentially
generate a new administrative session being created and assigned to the
requestor. The new session can be used to bypass proper authentication to
access the server.
An arbitrary file write vulnerability exists due to improper file name
validation in a console session that could allow an authorized SEPM user to
write arbitrary files in the context of the corresponding user. There is also
an arbitrary file read vulnerability due to improper validation in one of the
action handlers. This could allow an authenticated user to read arbitrary
files they may not have been authorized access to. Further, by leveraging the
file write vulnerability, an authorized but less-privileged user could
potentially manipulate SEPM services to launch arbitrary code with
administrator privileges to further elevate their normal privileges.
SEPM does not properly validate/sanitize SQL input. This could enable an
authorized but less-privileged user to potentially run an unauthorized
arbitrary SQL query against the backend database. This would include Limited
Administrators as implemented in Symantec Endpoint Protection Manager. This
could possibly allow access to or manipulation of data resulting in potential
unauthorized access to restricted server-side data and possible ability to
leverage additional console management functionality.
Also identified was the potential for a path traversal issue during the
importing of a client installation package to SEPM. The package is not
sufficiently validated/sanitized during the process. A malicious individual
could potentially submit a specifically configured package containing a
relative path of their creation in an attempt to access files and/or
directories external to the authorized install folder.
SEP clients are susceptible to a potential binary attack/dll preloading issue
resulting from not properly restrict the loading of external libraries. An
authorized but malicious user with access to a system could potentially insert
a specifically-crafted library into a client install package. Successful
exploitation could allow unauthorized arbitrary code to be executed with
system privileges.
In a recommended installation, the Symantec Endpoint Protection Manager server
should never be accessible external to the network which still allows internal
attack attempts from malicious less-privileged users but should restrict
external attack attempts. However, a malicious, non-authorized individual
could leverage known methods of trust exploitations to compromise a client
user in an attempt to gain network/system access. These exploitation attempts
generally require enticing a previously authenticated user to access a
malicious link in a context such as a web link or in an HTTP email.
Symantec Response
Symantec product engineers verified these issues. SEPM 12.1-RU6-MP1 contains
updates that address these issues. Customers should implement the mitigations
described below until the available update can be installed to address these
issues. Symantec is not aware of exploitation of or adverse customer impact
from this issue.
Update Information
Symantec Endpoint Protection Manager 12.1-RU6-MP1 is available from Symantec
File Connect.
Mitigations
For SEPM Authentication Bypass - High:
Customers that cannot immediately upgrade their SEPM to RU6 MP1 can mitigate
the issue by manually disabling the option for SEPM administrators to reset
their passwords.
To disable password resets:
In the Symantec Endpoint Protection Manager console, click Admin
In the Admin page, under Tasks, click Servers
In the Admin page, under view, expand Local Site (Site site name) or expand
Remote Site
Select the site whose properties you want to edit
In the Admin page, under Tasks, click Edit Site Properties
Select the Passwords tab
Uncheck the selection for "Allow administrators to reset the passwords"
Click OK
Note: This will need to be configured for each site in the environment.
Symantec will be releasing the following IPS signatures to detect/prevent
attempts against some of these issues in SEPM. These detections will be
available through normal Symantec security update channels.
28651 (Web Attack: SEPM SQL Injection)
28650 (Web Attack: SEPM Directory Traversal)
28649 (Web Attack: SEPM unauthenticated password reset)
Best Practices
As part of normal best practices, Symantec strongly recommends the following:
Restrict access to administrative or management systems to authorized
privileged users.
Restrict remote access, if required, to trusted/authorized systems only.
Run under the principle of least privilege where possible to limit the impact
of potential exploit.
Keep all operating systems and applications current with vendor patches.
Follow a multi-layered approach to security. At a minimum, run both firewall
and anti-malware applications to provide multiple points of detection and
protection to both inbound and outbound threats.
Deploy network- and host-based intrusion detection systems to monitor network
traffic for signs of anomalous or suspicious activity. This may aid in the
detection of attacks or malicious activity related to the exploitation of
latent vulnerabilities.
Credit
Symantec would like to thank Markus Wulftange of Code White
(http://www.code-white.com), for reporting these issues and working very
closely with Symantec as they were addressed.
References
CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org/cve), which standardizes identifiers for security
problems.
BID: Symantec SecurityFocus, http://www.securityfocus.com, has assigned
Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus
vulnerability database.
CVE
BID
Description
CVE-2015-1486
BID 76074
SEPM Authentication Bypass
CVE-2015-1487
BID 76094
SEPM Arbitrary File Write
CVE-2015-1488
BID 76077
SEPM Arbitrary File Read
CVE-2015-1489
BID 76078
SEPM Privilege Escalation
CVE-2015-1490
BID 76081
SEPM Path Traversal
CVE-2015-1491
BID 76079
SEPM SQL Injection
CVE-2015-1492
BID 76083
SEP Client Binary Planting
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security
issue in a Symantec product. A member of the Symantec Product Security team
will contact you regarding your submission to coordinate any required
response. Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@symantec.com. The Symantec Product
Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the
process we follow in addressing suspected vulnerabilities in our products.
This document is available below.
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key Symantec Product
Vulnerability Management PGP Key
Copyright (c) 2015 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Product Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS
Signature naming convention. See
http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST
for more information.
Last modified on: July 30, 2015
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVcmCP36ZAP0PgtI9AQJb3BAAlO3R4QGEvp9YROWUecfderoLhdrgGm4c
+VhKRdBvoBL5cU0KQ8huK3hMZseLHr/DQVgjpCcYQ9MAJNNdRa1WYN9u3GOOsVEa
4cAvp9/DtmvO3CkWPrBHoNyQu3WZJlWmJOytN0I/0bufPLsBTHpCFz5Zk+VAtN17
zOXMpkpV9Hayqve6RFm0EmtLu7t6KJilR20kFFjZ2+MkOxPNKFdOT9bJEZjqX4j3
Z3h/uZ90vaNDHH27nZpFM9TY7L+rCc+bCuxJZnAn0u4xpq2oO3Gum69Qgh+8pnE3
QNGTL8GtW79MoGYAPeaBxrmIVUnesejiynkokuYs6rzXzMBAqxE68yUR4mW9DhS+
Wv1h9HkljHNcUmZc9MifeA5PaHrLGkOycWXdoe9Zmh9PjSlsaTt8hkaBMeiqlwyq
leY/FiTknv2zugMn28ZBUjyLRajjXb87YSpB1FCwCcjF+8K6vYnKSVkTxaBAKu/A
fkKVoyBsOIXhLv8RYBG6zjpJlmMXiQeNqTLPbVOa9lkaUOPaycGR8cJIma4Sfvp0
QraRpS5vkfNn5+90Yfj29dWEg2a1M2vY+oftBc10TlqyyBljfpNghBufQUvA/kfE
d0H81oRSPUszT9PPD+fX91xhCAeN6MMDsboHd8qkpsNmLyflbqdhPUfi+iqJwCy/
jaxp2r15vh8=
=yj2x
-----END PGP SIGNATURE-----