Specific versions of the Symantec Endpoint Protection Management Console in Symantec Endpoint Protection 11.x and Symantec Network Access Control 11.x are susceptible to a potential local access elevation of privilege.
The Management Console in Symantec Endpoint Protection 12.1 is susceptible to remote access directory traversal/file deletion through a vulnerable service. A follow-on attack based on the success of the file deletion allows for a file insertion/code execution potentially resulting in unauthorized privilege escalation.
Local Access Elevation of Privilege
Product
|
Version
|
Build
|
Solution(s)
β|β|β|β
Symantec Endpoint Protection(Management Console)
|
11.0 RU6(11.0.600x)
11.0 RU6-MP1(11.0.6100)
11.0 RU6-MP2(11.0.6200)
11.0 RU6-MP3(11.0.6300)
11.0 RU7(11.0.700x)
11.0 RU7-MP1(11.0.710x)
|
All
|
SEP 11 RU7 MP2 or later
(Management Console)
Symantec Network Access Control(Management Console)
|
11.0 RU6(11.0.600x)
11.0 RU6-MP1(11.0.6100)
11.0 RU6-MP2(11.0.6200)
11.0 RU6-MP3(11.0.6300)
11.0 RU7(11.0.700x)
11.0 RU7-MP1(11.0.710x)
|
All
|
SNAC 11 RU7 MP2 or later
(Management Console)
NOTE: Symantec Endpoint Protection 12.1.x is NOT impacted by this issue
Remote Access Directory Traversal/File Deletion and Elevation of Privilege
Product
|
Version
|
Build
|
Solution(s)
β|β|β|β
Symantec Endpoint Protection Manager
|
12.1 (12.1.671)
12.1 RU1 (12.1.1000)
|
All
|
SEP 12.1 RU1 MP1
** NOTE:** Only Symantec Endpoint Protection 12.1.x is impacted by these issues
CVSS2
Base Score
|
Impact
|
Exploitability
|
CVSS2 Vector
β|β|β|β
File Include/Remote Access elevation of Privilege - Medium
6.82
|
6.44
|
8.58
|
AV:N/AC:M/Au:N/C:P/I:P/A:P
Directory Traversal File Deletion - Medium
4
|
4.9
|
4.9
|
AV:A/AC:L/Au:N/C:C/I:C/A:N
Local Access Elevation of Privilege - Low
3.2
|
4.9
|
3.1
|
AV:N/AC:H/Au:N/C:N/I:P/A:P
BID 51795 for the local access elevation of privilege issue
BID 53182 for the directory traversal/file deletion issue
BID 53183 for the file include/remote elevation of privilege issue
CVE-2012-0289 for the local access elevation of privilege issue.
CVE-2012-0294 for the directory traversal/file deletion issue
CVE-2012-0295 for the file include/remote access elevation of privilege issue
Exploit Publicly Available:
Yes for CVE-2012-0289, Local Access Elevation of Privilege.
Details
Symantec was notified of a vulnerable service running on the Symantec Endpoint Protection 12.1 Manager. Successful access to this service can potentially allow an unauthorized remote attacker to launch a two-stage exploit attempt against the targeted server.
In the first stage, an attacker gains access to and manipulates the vulnerable Manager service resulting in directory traversal and file deletion activity to remove specific files. A successful attempt could result in loss of Manager console functionality even if the second stage of the attack is unsuccessful.
A successful initial exploit attempt sets up the second stage. Leveraging the initial file removal, allows an attacker to potentially insert and execute arbitrary code resulting in unauthorized access in the context of the targeted application which is System.
In a recommended installation, the Symantec Endpoint Protection Manager should be hosted behind the corporate firewall with restricted external access. If necessary to deploy the Manager outside the corporate network, Symantec strongly recommends configuring client/server communication only and blocking all access to the management console.
An unauthorized attacker, able to leverage network access or entice an authorized network user to download malicious content or visit a malicious site, could still attempt an attack against the Manager interface.
Symantec was also notified of a local access elevation of privilege arbitrary code execution in specific versions of Symantec Endpoint Protection Management Console and Symantec Network Access Control Management Console 11.x. The arbitrary code execution is caused by inadequate boundary and error checking within one of the code functions.
To successfully exploit this issue, the attacker must have access to an authorized but unprivileged account on the local server that hosts either Symantec Network Access Control or Symantec Endpoint Protection 11.x management consoles. It is then possible for this user to potentially execute a maliciously formatted script resulting in a buffer overflow within a specific function used in both Symantec Network Access Control and Symantec Endpoint Protection. Successfully targeting this function could potentially allow an unprivileged user to elevate their access on the targeted system.
Symantec Response
Symantec product engineers verified the reported issues and resolved these issues in the Symantec Endpoint Protection releases identified above.
Update Information
Updates are available through customers' normal support/download locations.
Best Practices
As part of normal best practices, Symantec strongly recommends:
Symantec credits Anil Aphale, aka 41.w4r10r, with ControlCase India Pvt Ltd for the local access elevation of privilege issue reported in Symantec Endpoint Protection and Symantec Network Access Control 11.x.
Symantec credits Andrea Micalizzi. aka rgod, working through TippingPoint's ZeroDay Initiative for the directory traversal/file deletion and the file include/remote elevation of privilege multi-stage attack reported in Symantec Endpoint Protection Manager 12.1.
Security Focus, http://www.securityfocus.com, has assigned the following Bugtraq IDs (BIDs) to this issue for inclusion in the Security Focus vulnerability database.
These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org). The CVE initiative has assigned
5/23/2012 Proof-of-Concept information released publicly for CVE-2012-0289. Clarification on affected product component and versions.