Symantec Fixes Security Issues

Friday, March 18, 2016 @ 03:03 PM gHale


Symantec Endpoint Protection (SEP) received an update after researchers found flaws that could potentially result in gaining elevated access to the Management Console.

In addition, SEP Client security mitigations could potentially end up bypassed allowing arbitrary code execution on a targeted client, according to a report on US-CERT.

RELATED STORIES
Hackers Hit Security Firm
Intel Fixes McAfee Bug
PAN-OS Vulnerabilities Addressed
Security Support Tool Patched

The management console for Symantec Endpoint Protection Manager (SEPM) 12.1 contained a cross-site request forgery vulnerability that was the result of an insufficient security check in SEPM.

An authorized but less-privileged user could potentially include arbitrary code in authorized logging scripts. When submitted to SEPM, successful execution could possibly result in the user gaining unauthorized elevated access to the SEPM management console with application privileges, according to the report.

There was a SQL injection found in SEPM that could have allowed an authorized but less-privileged SEPM operator to potentially elevate access to administrative level on the application.

The sysplant driver loads as part of the Application and Device Control (ADC) component on a SEP client if ADC ends up installed and enabled on the client. A previous security update to this driver did not sufficiently validate or protect against external input. Successfully bypassing security controls could potentially result in targeted arbitrary code execution on a client system with logged-on user privileges, according to the report. Exploitation attempts of this type generally use known methods of trust exploitation requiring enticing a currently authenticated user to access a malicious link or open a malicious document in a context such as a website or in an email.
Users not employing ADC do not suffer from the client issue.

As a result of the discoveries, Symantec product engineers addressed these issues in SEP 12.1-RU6-MP4. Users should update to RU6-MP4 as soon as possible to address these issues, officials said.

Symantec said no one is currently exploiting these issues.

Symantec Endpoint Protection Manager 12.1-RU6-MP4 is available from Symantec File Connect.

As part of normal best practices, Symantec recommends:
• Restrict access to administrative or management systems to authorized privileged users.

• Restrict remote access, if required, to trusted/authorized systems only.

• Run under the principle of least privilege where possible to limit the impact of potential exploit.

• Keep all operating systems and applications current with vendor patches.

• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.

• Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Anatoly Katyushin of Kaspersky Labs found two of the flaws, while the enSilo Research Team found another.