Symantec fixes high-risk flaws in its Endpoint Protection
22 March 2016 | 0
Symantec has fixed three high-risk security vulnerabilities in Symantec Endpoint Protection, which serves as a reminder that security software needs to be regularly patched too.
All three vulnerabilities were fixed in Symantec Endpoint Protection version 12.1. Two of the flaws, if exploited, could let authorised low-level users gain higher privileges, Symantec said in its advisory. The third bug bypasses security controls on the Symantec Endpoint Protection client software that prevent users from running untrusted software on the targeted system. Symantec said there were no reports of any of these vulnerabilities being targeted in the wild.
“Symantec product engineers have addressed these issues in SEP 12.1-RU6-MP4. Customers should update to RU6-MP4 as soon as possible to address these issues,” Symantec said in the advisory.
The cross-site request forgery flaw (CVE-2015-8152) and SQL injection bug (CVE-2015-8153) in the SEP Management Console can be exploited to give authorised users more elevated privileges than originally assigned. These vulnerabilities, if successfully exploited, make it easier for attackers because they no longer need to try to steal administrator-level credentials. They can intercept lower-level user credentials and bump up the privileges as needed.
An authorised but less-privileged user could potentially trigger the flaw by embedding the malicious code inside a logging script, Symantec said. When the management console processes the script, the code is executed and gives the attacker the privileged rights.
Along with updating the software, Symantec recommended that IT administrators restrict remote access to the management console. Authorised users can access the management console over the network or locally from the management server. Symantec suggested reviewing existing users to make sure account access is granted to only those administrators who really need it.
The third flaw (CVE-2015-8154) was in the SysPlant.sys driver, which Symantec Endpoint Protection loads on Windows clients as part of Application and Device Control (ADC) component. The driver prevents untrusted code from running on Windows systems. If the vulnerability is successfully exploited, the attacker bypasses the ADC to execute malicious code on the system with the same privileges as the logged on user.
It is not too difficult to exploit this vulnerability, since it could be triggered by just clicking on a malicious link in an email or opening a booby-trapped document.
The issue affects only customers who have ADC installed and enabled. Uninstalling or disabling ADC in Symantec Endpoint Protection mitigates this issue, Symantec said.
“A previous security update to this drive did not sufficiently validate or protect against external input,” Symantec said.
IDG News service