Share Related Articles 2 weeks ago 2 weeks ago 3 weeks ago Security firm Symantec has warned of three serious vulnerabilities in its very own Symantec Endpoint Protection software and is advising people to update immediately. The software bugs affect all builds of Symantec Endpoint Protection version 12.1 of the software. The first two flaws allow for authorized, low privilege, users to gain elevated and/or administrative access to the management console. The last bug, located in the sysplant driver, enables users to bypass Endpoint Protection’s security controls and run malware and other malicious code on a victim’s machine. Symantec says on their that the exploitation methodologies used here are normally began via social engineering or phishing scams. Exploitation attempts of this type generally use known methods of trust exploitation requiring enticing a currently authenticated user to access a malicious link or open a malicious document in a context such as a website or in anemail, The Technical Details The first vulnerability involves he management console for Symantec Endpoint Protection being vulnerable to cross-site request forgery (XSRF).  This vulnerability will allow for an authorized but underprivileged user to escalate their privileges to that of an administrator.  This would be done by the user submitting arbitrary code to some of the logging scripts found in the application.  This would result in a user gaining unauthorized elevated permissions on the Symantec Endpoint Protection Management console with the same privileges as the application itself. The next vulnerability is a SQL injection vulnerability, also found in the Endpoint Management System.  This vulnerability would allow for a user to elevate their privileges to that of an administrator on the system. The final vulnerability, the sysplant driver vulnerability, is the result of a previously failed attempt to patch an already known security hole in the software.  The part of the driverthat seems to be causing the majority of the problems deals with the Application and Device Control (ADC) component on a Symantec Endpoint Protection client.  Provided that the ADC is loaded properly onto the system, an attacker may pass input into the ADC that is not properly sanitized.  This could lead to a condition which would allow for the attacker to execute arbitrary code at the privilege level of whatever user is logged in. Symantec has issued an advisory that all customers should update their software a soon as possible. Symantec product engineers have addressed these issues in SEP 12.1-RU6-MP4. Customers should update to RU6-MP4 as soon as possible to address these issues. As a mitigation to this vulnerability, provided updating is not a viable solution at the moment, ADC can be disabled or uninstalled entirely.  This will mitigate any of the issues related to ADC.  Unfortunately there are no known workarounds for the other two vulnerabilities and updating is still the mainoption. Best Practices As provided by Symantec on their blog: As part of normal best practices, Symantec strongly recommends the following: Restrict access to administrative or management systems to authorized privileged users. Restrict remote access, if required, to trusted/authorized systems only. Run under the principle of least privilege where possible to limit the impact of potential exploit. Keep all operating systems and applications current with vendor patches. Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats. Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities. [image courtesy of ]

Share