Symantec Enterprise Security Manager Remote Upgrade Authentication Bypass

1113

06 March 2020

05 April 2007

CLOSED

HIGH

SUMMARY

 

Symantec Enterprise Security Manager is susceptible to a remote code execution vulnerability.

Severity
High

Remote

Yes

Local Access

Yes

Authentication Required

No

Exploit publicly available

No

 

AFFECTED PRODUCTS

 

Vulnerable Products
The following supported ESM agent and manager platforms have patches available for immediate download. While the ESM manager is not vulnerable, it must be updated to work with the new agents.

Note: ESM 6.5.3 already includes the fixes and is not vulnerable.

ESM agent platform

ESM version

AIX (4.3.1, 4.3.3, 5.1, 5.2)
AIX (5.1, 5.2)
AIX 5L 5.1 (32-bit tested on 64-bit)
AIX 5L 5.2 (32-bit tested on 32-bit)
AIX 5L 5.3 (64-bit)
HP Tru64/OSF-1 4.0D - 5.1A (Digital Unix)
HP-UX (10.20, 11.0, 11i) (PA-RISC)
HP-UX (11.0, 11.11i) (PA-RISC)
HP-UX 10.20 (PA-RISC)
HP-UX 11i v2 (Itanium)
NCR UNIX 3.2 (ESM 5.1 only w/SU7b updated in 2003)
Red Hat Enterprise Linux (ES 2.1)
Red Hat Enterprise Linux 4 AS (Xeon and Opteron)
Red Hat Enterprise Linux 4 ES (x86)
Red Hat Enterprise Linux ES 2.1 (x86)
Red Hat Enterprise Linux ES 3.0 (x86)
Red Hat Enterprise Linux ES 3.0 (x86)
Red Hat Enterprise Linux ES 4.0 Itanium
Red Hat Linux 8
Red Hat Linux 9
Red Hat Linux AS 3.0 64-bit (Itanium)
Red Hat Linux AS 3.0 64-bit (Opteron and Xeon)
Red Hat Linux WS 3.0 64-bit (Opteron and Xeon)
SUSE Linux Enterprise Server 8 (x86)
SUSE Linux Enterprise Server 9 (Itanium)
SUSE Linux Enterprise Server 9 (x86)
SUSE Linux Standard Server 8 (x86)
Solaris 2.10 (SPARC)
Solaris 2.10 (x86)
Solaris 2.6 (SPARC)
Solaris 2.9 (SPARC)
Solaris 2.9 (SPARC)
Windows 2000 (Professional, Server, Advanced Server)
Windows 2000 Advanced Server w/SP1+ (x86)
Windows 2000 Professional w/SP1+ (x86)
Windows 2000 Server w/ SP1+ (x86)
Windows NT 4.0
Windows NT 4.0 Workstation w/SP6a+
Windows NT 4.0 Server w/SP6a+
Windows Server 2003 (Itanium)
Windows Server 2003 (x86) (no SP)
Windows Server 2003 Enterprise Edition SP1 (x86)
Windows Server 2003 Standard Edition SP1 (x86)
Windows XP Professional w/SP1 (x86)
Windows XP Professional (x86) (no SP)
Windows XP Professional SP2 (x86)

All versions prior to 6.5.3

 

ESM manager platform

ESM version

AIX 4.2.1
AIX 4.3.1, 4.3.3
AIX 4.3.3
AIX 5L 5.1
AIX 5L 5.2
HP-UX (10.20, 11.0, and 11.11) (PA-RISC)
HP-UX 10.20 (PA-RISC)
HP-UX 11.0 (PA-RISC)
HP-UX 11.23 (PA-RISC)
HP-UX 11i v1 (11.11) (PA-RISC)
Solaris 2.51 (SPARC)
Solaris 2.6 (SPARC)
Solaris 2.7 (SPARC)
Solaris 2.8 (SPARC)
Solaris 2.9 (SPARC)
Windows 2000 Advanced Server SP1+
Windows 2000 Advanced Server SP4+
Windows 2000 Professional SP1+
Windows 2000 Professional SP4+
Windows 2000 Server SP1+
Windows 2000 Server SP4+
Windows NT 4.0 Server w/SP6a+
Windows NT 4.0 Workstation w/SP6a+
Windows Server 2003

 

 

ADDITIONAL PRODUCT INFORMATION

 

The following ESM Agents are not affected because they do not support remote upgrade.

ESM agent platform

ESM version

NetWare 6.0
NetWare 6.5
OS/400 V5R2
OS/400 V5R3
OpenVMS AXP 7.2
OpenVMS AXP 7.3

All

 

ISSUES

 

Details
All versions of the Enterprise Security Manager (ESM) are vulnerable to a remote code execution attack. The vulnerability exists in the ESM agent remote upgrade interface. The ESM agent accepts remote upgrade requests from any entity that understands the upgrade protocol. The ESM agent does not currently verify that upgrades are from a trusted source. An attacker with knowledge of the agent protocol could deploy a piece of software that allows the attacker to control the host computer. The ESM agent runs with administrative privileges.

 

MITIGATION

 

Symantec has released downloadable automated and manual fixes for all supported ESM agents.

To date, Symantec is not aware of any reported attempts to exploit this vulnerability.

For more information about installing or updating ESM components see the Symantec Enterprise Security Manager Installation Guide

REVISION

 

Added note clarifying that ESM 6.5.3 is not vulnerable.