-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0066 Title: Symantec Endpoint Protection Multiple Issues[1] Version history: 22.05.2012 Initial publication Summary and Potential impact ============================ 1) File Include/Remote Access elevation of Privilege (CVSS v2 Base Score: 6.82 AV:N/AC:M/Au:N/C:P/I:P/A:P[2]) and 2) Directory Traversal File Deletion (CVSS v2 Base Score: 4 AV:A/AC:L/Au:N/C:C/I:C/A:N) Symantec was notified of a vulnerable service running on the Symantec Endpoint Protection 12.1 management console. Successful access to this service can potentially allow an unauthorized remote attacker to launch a two-stage exploit attempt against the targeted server. In the first stage, an attacker gains access to and manipulates the vulnerable Manager service resulting in directory traversal and file deletion activity to remove specific files. A successful attempt could result in loss of Manager console functionality even if the second stage of the attack is unsuccessful. 3) Local Access Elevation of Privilege (CVSS v2 Base Score: 3.2 AV:N/AC:H/Au:N/C:N/I:P/A:P) A successful initial exploit attempt sets up the second stage. Leveraging the initial file removal, allows an attacker to potentially insert and execute arbitrary code resulting in unauthorized access in the context of the targeted application which is System. The successful attacks lead, in consequence, to local privilege escalation up to administrative rights. Vulnerable Systems ================== 1) Symantec Endpoint Protection 11.0 RU6(11.0.600x) 11.0 RU6-MP1(11.0.6100) 11.0 RU6-MP2(11.0.6200) 11.0 RU6-MP3(11.0.6300) 11.0 RU7(11.0.700x) 11.0 RU7-MP1(11.0.710x) Fixed in: SEP 11 RU7 MP2 or later 2) Symantec Network Access Control 11.0 RU6(11.0.600x) 11.0 RU6-MP1(11.0.6100) 11.0 RU6-MP2(11.0.6200) 11.0 RU6-MP3(11.0.6300) 11.0 RU7(11.0.700x) 11.0 RU7-MP1(11.0.710x) Fixed in: SNAC 11 RU7 MP2 or later What can you do? ================ Updates are available through customers’ normal support/download locations. In addition the supplier provides the following "good practice" information: * Restrict access to administration or management systems to privileged users * Restrict remote access, if required, to trusted/authorized systems only. * Run under the principle of least privilege where possible to limit the impact of exploit by threats. * Keep all operating systems and applications updated with the latest vendor patches. * Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. * Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities What to tell your users? ======================== The current settings allow successful attacks to local users only. We take this opportunity to remind you about the importance of physical security and an appropriate level of user awareness how to responsibly handle IT and network access. More information ================ [1] http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120522_01 [2] More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPvMQ2OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NI1hAAo0uo3ou+ YESmWeA4n+Bo1cG/0VsxRqgdcMbMbuVk1CjjEdbJPC8Qz9RtLPs/A6WQEQnRUumk +lLHnr455Ic2opZJ4fmL5uqB5icM8Spz1LkxgJEfa2NuG5dTSD1NKeJvkd0VJ0Rf jeRgYpRVtwicuNhp0BHKl92IkPGI2S23DFAcoidCtDWQHiUkmGdCtblptj3VmkwE t7zy+BzuboVmifdEvd3lv7Eh7Y5qXY+ObHsDoUw7yIkIphX06+c/0zXqFw6vfg/1 Jnx8MfWGviyiXuNuKmBH2f0EdPBsl8fzqkFBgJA9GN9FXmWvGejZ95i+KEKQvFCa jul7suVdEOKGZ2sfqJXE53ODv6jPw65KFhDeZX4GGyo22fY9HwfDKG1D1EaLj69i vLlAzM7X8wG+nUjUD3inLko1kX33x/mcQhpVs9YfOwNpDM8U+ojwe1FFkhi03HYD f37I5y/RlNjLnfQeUjXzoOe7195s9GVIgdGS/nAde/GrhaaUzbdngP9YYlxJDERz 1sU6i7cUtCKg5glNtn4EW6jYk9GxpZmWPX1KEa2KHCgE2S77spRWHdgQyWCJKWlv xp4niICKOroyK52iPiq9diXbtfVNm+eLFm9/wz9J2DtiDdHvESxzsaIMQryJmotj t+xzsnmyNN/hUIxcg7A/JnkAmh/lhnwcShs= =RuD3 -----END PGP SIGNATURE-----