Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

               Symantec Endpoint Protection Multiple Issues
                             15 November 2017


        AusCERT Security Bulletin Summary

Product:           Symantec Endpoint Protection
Publisher:         Symantec
Operating System:  Windows
Impact/Access:     Increased Privileges           -- Existing Account
                   Delete Arbitrary Files         -- Existing Account
                   Provide Misleading Information -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13681 CVE-2017-13680 CVE-2017-6331

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories Relating to Symantec Products - Symantec Endpoint
Protection Multiple Issues


November 6, 2017


Symantec has released a set of updates to address three issues in the Symantec
Endpoint Protection (SEP) product.

Highest severity issue: High
Number of issues: 3


This update applies to the following issues:

TITLE                        CVE            SEVERITY

SEP Privilege Escalation     CVE-2017-13681 High

SEP Arbitrary File Deletion  CVE-2017-13680 Medium

SEP Tamper-Protection Bypass CVE-2017-6331  Low


Symantec has verified the issues and addressed them in product updates for SEP
outlined below.


The following Symantec enterprise products are affected.

PRODUCT                                     SOLUTION

Symantec Endpoint Protection prior to SEP   Upgrade to Symantec Endpoint
12.1 RU6 MP9 for CVE-2017-13681             Protection SEP 12.1 RU6 MP9

Symantec Endpoint Protection prior to SEP   Upgrade to Symantec Endpoint
12.1 RU6 MP9 & SEP 14 RU1 for               Protection SEP 12.1 RU6 MP9 or SEP
CVE-2017-13680                              14 RU1

Symantec Endpoint Protection 12.1.X & prior Upgrade to Symantec Endpoint
to SEP 14 RU1 for CVE-2017-6331             Protection SEP 14 RU1




Symantec Endpoint Protection Privilege Escalation


BID: 101504

Severity: High (CVSSv3: 8.8) (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Impact: Privilege escalation

Exploitation: None

Date patched: October 20, 2017

The Symantec Endpoint Protection Windows endpoint could be susceptible to a
privilege escalation vulnerability, which is a type of issue that allows a user
to gain elevated access to resources that are normally protected at lower
access levels. In the circumstances of this issue, the capability of exploit is
limited by the need to perform multiple file and directory writes to the local
filesystem and as such, is not feasible in a standard drive-by type attack.


Symantec Endpoint Protection Arbitrary File Deletion


BID: 101503

Severity: Medium (CVSSv3: 6.5) (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

Impact: Arbitrary File Deletion

Exploitation: None

Date patched: October 20, 2017

The Symantec Endpoint Protection Windows endpoint can encounter a situation
whereby an attacker could use the product's UI to perform unauthorized file
deletes on the resident file system.


Symantec Endpoint Protection Tamper-Protection Bypass


BID: 101502

Severity: Low (CVSSv3: 2.8) (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Impact: Tamper-Protection Bypass

Exploitation: None

Date patched: October 20, 2017
The Symantec Endpoint Protection Windows endpoint can encounter an issue of
Tamper-Protection Bypass, which is a type of attack that bypasses the real time
protection for the application that is run on servers and clients. Tamper
Protection protects Symantec processes and internal objects from these attacks
that non-Symantec processes such as worms, Trojan horses, viruses, and security
risks could make. Note that in this circumstance, the tamper-protection bypass
only allows altering a small amount of text in one element of the UI.


This issues listed above were validated by the product team engineers. A set of
Symantec Endpoint Protection updates, versions SEP 12.1 RU6 MP9 and SEP 14 RU1,
have been released which address the aforementioned issues. Please ensure you
apply the necessary patches and upgrades accordingly. Symantec Endpoint
Protection's latest releases are available to customers through normal support
channels. At this time, Symantec is not aware of any exploitations or adverse
customer impact from these issues.

Note1: For customers running SEP 14, SEP 14 MP1 or SEP 14 MP2, only the low and
medium severity issues articulated in the aforementioned advisory details
affect the updated SEP 14 product line. The high severity issue does not impact
any instances of SEP 14.

Note2: The aforementioned vulnerabilities only pertain to the SEP client. The
SEPM manager is not affected.

  * Matthieu Buffet on behalf of ANSSI (CVE-2017-13681)
  * Clément Lavoillotte @clavoillotte (CVE-2017-13680)
  * John Page AKA hyp3rlinx Apparitionsec (CVE-2017-6331)


- -          Minor edit on Nov 6th, 2017

- -          Added details on specific SEP endpoints

- -          Minor edit to adjust finder contact details


Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process
document outlining the process we follow in addressing suspected
vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software
development and implements security review into various stages of the software
development process. Additionally, Symantec is committed to the security of its
products and services as well as to its customers' data. Symantec is committed
to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle
(SDLC) practice applicable to Symantec's product and service teams as well as
other software security related activities and policies used by such teams.
This document is intended as a summary and does not represent a comprehensive
list of security testing and practices conducted by Symantec in the software
development process.
Please contact secure@symantec.com if you believe you have discovered a
security issue in a Symantec product. A member of the Symantec Software
Security team will contact you regarding your submission to coordinate any
required response. Symantec strongly recommends using encrypted email for
reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
Symantec Product Vulnerability Management PGP Key
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Software Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com.
Last modified on: November 6, 2017
Security Response Blog
The State of Spam
Symantec | United States

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967