The management server for Symantec Critical System Protection (SCSP) 5.2.9 and Data Center Security: Server Advanced (SDCS:SA) 6.0.x is susceptible to security issues which could enable privileged access to the management server. Rules in the prevention policies could be bypassed if deployed to SCSP/SDCS:SA agents to restrict access to specific host functionality.
Product
|
Version
|
Build
|
Solution(s)
—|—|—|—
Symantec Critical System Protection Server and Agents
|
5.2.9.x
|
All
|
SCSP 5.2.9 MP6 or update to 6.0 MP1 SDCS:SA. Apply Protection Policy Modifications Described Below
Symantec Data Center Security: Server Advanced Server and Agents
|
6.0
|
All
|
Update to 6.0 MP1. Apply Protection Policy Modifications Described Below
Symantec Data Center Security: Server Advanced Server and Agents
|
6.0 MP1
|
All
|
Apply Protection Policy Modifications Described Below
CVSS2
Base Score
|
Impact
|
Exploitability
|
CVSS2 Vector
—|—|—|—
SCSP/SDCS:SA Management Server Agent Control Interface RCE - High
NOTE: Does NOT affect CSP 5.2.9 MP6 or DCS:SA 6.0 MP1
7.4
|
10
|
4.4
|
AV:A/AC:M/Au:S/C:C/I:C/A:C
SCSP/SDCS:SA Management Server SQL Injection - High
NOTE: Does NOT affect CSP 5.2.9 MP6 or DCS:SA 6.0 MP1
7.4
|
10
|
4.4
|
AV:A/AC:M/Au:S/C:C/I:C/A:C
SCSP/SDCS:SA Management Server Non-Persistent XSS - Low
3.8
|
4.9
|
4.4
|
AV:A/AC:M/Au:S/C:P/I:P/A:N
SCSP/SDCS:SA Management Server Information Disclosure - Low
2.7
|
2.9
|
5.1
|
AV:A/AC:L/Au:S/C:P/I:N/A:N
SCSP/SDCS:SA Agent Default Protection Policy by-pass permits access to system functionality that should be authorized access restricted - Medium
6.6
|
10
|
2.7
|
AV:L/AC:M/Au:S/C:C/I:C/A:C
CVE
|
BID
|
Description
—|—|—
CVE-2014-3440
|
BID 72091
|
SCSP/SDCS:SA Management Server Agent Control Interface RCE
CVE-2014-7289
|
BID 72092
|
SCSP/SDCS:SA Management Server SQL Injection
CVE-2014-9224
|
BID 72093
|
SCSP/SDCS:SA Management Server Non-Persistent XSS
CVE-2014-9225
|
BID 72094
|
SCSP/SDCS:SA Management Server Information Disclosure
CVE-2014-9226
|
BID 72095
|
SCSP/SDCS:SA Client Default Security Protection Policy By-pass
Details
Agent Control Interface RCE - The management server agent control interface for SCSP 5.2.9 MP5 and below and SDCS:SA 6.0 does not properly validate the content of log files being uploaded from client systems for processing. This could allow unauthorized arbitrary code to be included in the log file content on a client system. When uploaded to the server, this arbitrary code could potentially be run during normal processing of the log file content on the server. If successfully exploited an attacker could potentially gain access to a command shell with elevated privileges on the server.
NOTE: SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 is not affected by this issue.
SCSP/SDCS:SA Management Server SQL Injection - SCSP 5.2.9 and SDCS:SA 6.0 is susceptible to SQL injection. An attacker who can gain access to the proper port on the management server could pass a specifically crafted HTTP request which could potentially execute arbitrary SQL commands. If successful, the attacker could possibly add themselves to the server as an administrator.
Symantec recommends always configuring out of the box prevention policy with local network information and applying it to the management server to limit access to local network or just security administrators.
NOTE: SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 is not affected by this issue.
SCSP/SDCS:SA Management Server Non-persistent XSS - The Management Console server does not properly filter user input. This makes the server potentially susceptible to non-persistent cross-site scripting issues.
Workaround/mitigation information provided below.
SCSP/SDCS:SA Management Server Information Disclosure - The management server does not properly restrict internal server information in certain instances. Successful access to this information could potentially provide reconnaissance planning data to a non-privileged, non-authorized user.
Note: In a normal installation, the SCSP or SDCS:SA Management Console should not be accessible external to the network, providing some mitigation against external threat. Attempts to exploit issues would likely come from an authorized but malicious network user. However, an external attacker could potentially leverage known methods of trust exploitations in an attempt to gain access to a client system from which to launch an attack attempt on the server. These exploitation attempts generally require enticing an authorized user to access a malicious link in a context such as a website or in an email.
Workaround/mitigation information provided below.
SCSP/SDCS:SA Agent Default Protection Policy By-pass - SCSP and SDCS:SA default protection policies are designed to restrict access to specific host functionality. The default protection policies provided do not sufficiently restrict access in some cases. An authenticated user could potentially bypass deployed protection policies gaining unauthorized access to restricted functionality on a host.
Note: SCSP/SDCS:SA Protection Policies provide another layer of restriction to further complement existing OS user authorization. Circumventing the Protection Policies does NOT provide any additional levels of access to the authenticated user other than what their authorization level would permit under normal OS security settings.
See Mitigation Section below for information on customizing protection policies to address this.
Symantec is not aware of exploitation of or adverse customer impact from this issue.
Update Information
SCSP 5.2.9 MP6 and SDCS:SA 6.0 MP1 are available through Symantec File Connect.
Symantec Response and Mitigations/Workarounds
Symantec recommends customers upgrade to the latest SDCS:SA 6.0 MP1. However, if unable to upgrade immediately, there are some workarounds available to mitigate these issues related to SCSP/SDCS:SA server and agents.
SCSP/SDCS:SA Server mitigation for remote agent RCE
Symantec highly recommends upgrade to SCSP 5.2.9MP6 or SDCS:SA 6.0 MP1, however if unable to at this time:
SCSP/SDCS:SA Management Console Non Persistent XSS
SCSP/SDCS:SA Management Console Information Disclosure
Use the Java console
Note that ajaxswing web console will not be shipping in future releases
SCSP/SDCS:SA Agent Security Policy By-Pass Mitigation
Implement security policy configurations provided in TECH227679, <http://www.symantec.com/docs/TECH227679>
Best Practices
As part of normal best practices, Symantec strongly recommends the following:
Symantec would like to thank Balint Varga-Perke with Silent Signal working through Beyond Security for reporting CVE-2014-3440 and working with Symantec as it was addressed.
Symantec would like to thank Stefan Viehbock with SEC-Consult for reporting CVE-2014-7289, CVE-2014-9224, 9225, 9226 and working with Symantec as they were addressed
BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to this issue for inclusion in the Security Focus vulnerability database.
CVE: This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.