Symantec Endpoint Protection Multiple Security Issues
SUMMARY
Symantec Endpoint Protection (SEP) was susceptible to a number of security vulnerabilities potentially resulting in a user being able to leverage elevated privilege or access to unauthorized files on the management console.
Additionally, a race condition in the device control of a SEP client could permit bypassing security restrictions allowing some level of access to file download or upload on a client system.
AFFECTED PRODUCTS
|
Product |
Version |
Build |
Solution |
|
Symantec Endpoint Protection Manager and client |
12.1 |
All |
Update to 12.1-RU6-MP5 |
ISSUES
|
CVSS Base Score |
CVSS2 Vector |
|
Server-Side Request Forgery authentication interface - Medium |
|
|
v2 4.8 v3 5.4 |
AV:A/AC:M/Au:M/C:C/I:N/A:N AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N |
|
Authentication Lock threshold bypass brute force attack - High |
|
|
v2 7.1 v3 7.3 |
AV:A/AC:L/Au:S/C:C/I:C/A:N AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
Sysadmin authenticated listing disclosure - Low |
|
|
v2 2.2 v3 2.4 |
AV:A/AC:L/Au:M/C:P/I:N/A:N AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
|
Server credentials disclosure - Medium |
|
|
v2 4.0 v3 4.5 |
AV:A/AC:H/Au:M/C:C/I:N/A:N AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
|
Multiple XSS in SEPM management script code - Medium |
|
|
v2 6.8 v3 6.7 |
AV:A/AC:M/Au:S/C:C/I:C/A:N AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
PHP JSESSIONID accessible on Web Server - Medium |
|
|
v2 6.5 v3 6.8 |
AV:A/AC:H/Au:S/C:C/I:C/A:C AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
Multiple SEPM CSRF - High |
|
|
v2 7.0 v3 7.1 |
AV:A/AC:M/Au:M/C:C/I:C/A:C AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
Open Redirect in external URL .php script - Medium |
|
|
v2 4.1 v3 4.1 |
AV:A/AC:L/Au:S/C:P/I:P/A:N AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
|
DOM-based link manipulation in php script - Medium |
|
|
v2 5.2 v3 5.2 |
AV:A/AC:M/Au:S/C:N/I:C/A:N AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N |
|
Strict transport security not enforced on port 8445 - Medium |
|
|
v2 4.1 v3 4.6 |
AV:A/AC:L/Au:S/C:P/I:P/A:N AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
Web Root directory traversal in management console - Medium |
|
|
v2 4.1 v3 4.6 |
AV:A/AC:L/Au:S/C:P/I:P/A:N AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
SEP Client Device Control Restriction Local Race Condition Bypass - Low |
|
|
v2 2.4 v3 2.8 |
AV:L/AC:H/Au:S/C:P/I:P/A:N AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
|
CVE |
BID |
Description |
|
CVE-2016-3647 |
91433 |
Server-Side Request Forgery authentication interface |
|
CVE-2016-3648 |
91441 |
Authentication Lock threshold bypass brute force attack |
|
CVE-2016-3649 |
91440 |
Sysadmin authenticated listing disclosure |
|
CVE-2016-3650 |
91432 |
Server credentials disclosure |
|
CVE-2016-3651 |
91445 |
PHP JSESSIONID accessible on Web Server |
|
CVE-2016-3652 |
91444 |
Multiple XSS in SEPM management script code |
|
CVE-2016-3653 |
91442 |
Multiple SEPM CSRF |
|
CVE-2016-5304 |
91447 |
Open Redirect in external URL .php script |
|
CVE-2016-5305 |
91448 |
DOM-based link manipulation in php script |
|
CVE-2016-5306 |
91449 |
Strict transport security not enforced on port 8445 |
|
CVE-2016-5307 |
91443 |
Web Root directory traversal in management console |
|
CVE-2015-8801 |
91446 |
SEP Client Device Control Restriction Local Race Condition Bypass |
MITIGATION
Details
The management console for SEP, SEPM, contains a number of security vulnerabilities that could be used by a lower-privileged user or by an unauthorized user to elevate privilege or gain access to unauthorized information on the management server. Exploitation attempts of these vulnerabilities requires access to the SEP Management console.
Cross-site scripting and cross-site request forgery vulnerabilities exist in interface scripts and forms used to manage the console and to generate status and activity reports. The management console does not provide sufficient validation or sanitation of incoming input. It also provides inadequate CSRF protection. Successful targeting could allow an unauthorized or less privileged user to leverage console access or hijack the browser session being used to manage the console. This could possibly allow unauthorized user-level access to the management console which could be leveraged to elevate privileges. Both the XSS and CSRF issues are the result of insufficient validation and sanitation of user input and server output. Exploitation of these issues in the management console could be performed by tricking a properly authenticated user into accessing a maliciously-crafted link or by a less-privileged but authorized user able to manipulate existing URLs on the console. Depending on the nature of the link it is possible for execution of arbitrary html requests and php scripts in the context of the targeted users browser. The management console normally allows access to specified users/administrators only.
A server-side request forgery exists where an attacker could make it appear that the server is actually making the requests in order to bypass existing access controls and attempt to scan unauthorized content on the internal network.
An authorized but non-privileged network user with access the SEPM authorization window could bypass the lock threshold limits possibly allowing a brute-force password attack in an effort to recover valid management console passwords.
An authorized management console administrator could manipulate GET object requests to gather information on other valid system administrator accounts. This information could potentially be leveraged further to brute-force user passwords as described above.
A reporting URL used to route generated reports externally to any authorized URL is susceptible to an open redirect vulnerability that could have allowed an authorized but less-privileged user to redirect an unsuspecting privileged user to an external URL to attempt further exploitation, e.g. phishing.
An authorized network user with authorized access to the management console could potentially exploit an existing DOM link manipulation weakness (a type of XSS) in existing management scripts to attempt attacks against managed client systems.
HTTP Strict Transport Security was not effectively enabled on port 8445, the SEPM listening port. This could lead to information leakage or redirection-type attacks.
There is a limited access directory traversal in the management console which could allow a less-privileged user to access files/directories on the web root.
Note: In a typical installation the Symantec Endpoint Protections management console should not be accessible external to the network environment and internal access should be restricted to specified users/administrators. Web browsers used by authorized users to access the management console should never be used for browsing of external web sites during an active administrative session. These restrictions greatly reduce exposure to external attempts of these types.
On a SEP client, a race condition existed between when a USB drive is inserted in a client-system USB port and when SEPs device manager exercises access control over the external device. During this brief delay a user with local access to the system could download unauthorized sensitive files from the client system to the unauthorized USB device or possibly upload arbitrary file content to the local system from the external USB device.
Symantec Response
Symantec product engineers confirmed that some of these issues had been found through internal testing and were pending release of SEP 12.1-RU6-MP5 but confirmed external submission of these issues in previous releases. Symantec engineers continue to review related functionality to further enhance the overall security of Symantec Endpoint Protection. Symantec has released Symantec Endpoint Protection 12.1 RU6 MP5, currently available to customers through normal support locations. Customers are advised to immediately update to RU6-MP5 as soon as possible to address security issues identified in this advisory.
Symantec is not aware of exploitation of or adverse customer impact from these issues.
Update Information
Symantec Endpoint Protection Manager 12.1-RU6-MP5 is available from Symantec File Connect.
Best Practices
As part of normal best practices, Symantec strongly recommends the following:
-
Restrict access to administrative or management systems to authorized privileged users.
-
Restrict remote access, if required, to trusted/authorized systems only.
-
Run under the principle of least privilege where possible to limit the impact of potential exploit.
-
Keep all operating systems and applications current with vendor patches.
-
Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
-
Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.
ACKNOWLEDGEMENTS
Symantec would like to thank Huy-Ngoc Dau, with Deloitte France for reporting information on CVE-2016-3647, 3648, 3649, 3650, 3651 and working with us as we addressed them.
Symantec would like to thank John Page aka hyp3rlinx, for reporting information on CVE-2016-3652, 3653, and 5304 and working with us as we addressed them.
Symantec would like to thank Josh Meyer, with the MITRE Corporation, for reporting information on CVE-2016-5304, 5305, 5306, and 3651 and working with us as we addressed them.
Symantec would like to thank Che Lin Law, with MWR InfoSecurity, for reporting information on CVE-2016-5307 and working with us as we addressed it.
Symantec would like to thanks Chris Salerno, with Security Risk Advisors, for reporting information on CVE-2015-8801 to us and working with us as we addressed it.