Symantec Endpoint Protection Multiple Issues
SUMMARY
Symantec has released a set of updates to address three issues in the Symantec Endpoint Protection (SEP) product.
AFFECTED PRODUCTS
|
Symantec Endpoint Protection (SEP) |
||
CVE |
Affected Version(s) |
Remediation |
|
CVE-2017-13681 |
Prior to 12.1 RU6 MP9 |
Upgrade to 12.1 RU6 MP9 |
|
Symantec Endpoint Protection (SEP) |
||
CVE |
Affected Version(s) |
Remediation |
|
CVE-2017-13680 |
Prior to 12.1 RU6 MP9 & 14 RU1 |
Upgrade to 12.1 RU6 MP9 & 14 RU1 |
|
Symantec Endpoint Protection (SEP) |
||
CVE |
Affected Version(s) |
Remediation |
|
CVE-2017-6331 |
Prior to 12.1.X |
Upgrade to 14 RU1 |
ISSUES
|
CVE-2017-13681 |
|
|
Severity/CVSSv3: |
High / 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) |
|
References: Impact: |
Securityfocus: BID 101504 / NVD: CVE-2017-13681 Privilege escalation |
|
Description: |
The Symantec Endpoint Protection Windows endpoint could be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels. In the circumstances of this issue, the capability of exploit is limited by the need to perform multiple file and directory writes to the local filesystem and as such, is not feasible in a standard drive-by type attack. |
|
CVE-2017-13680 |
|
|
Severity/CVSSv3: |
Medium / 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) |
|
References: Impact: |
Securityfocus: BID 101503 / NVD: CVE-2017-13680 Arbitrary file deletion |
|
Description: |
The Symantec Endpoint Protection Windows endpoint can encounter a situation whereby an attacker could use the product’s UI to perform unauthorized file deletes on the resident file system. |
|
CVE-2017-6331 |
|
|
Severity/CVSSv3: |
Low / 2.8 (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) |
|
References: Impact: |
Securityfocus: BID 101502 / NVD: CVE-2017-6331 Tamper protection bypass |
|
Description: |
The Symantec Endpoint Protection Windows endpoint can encounter an issue of Tamper-Protection Bypass, which is a type of attack that bypasses the real time protection for the application that is run on servers and clients. Tamper Protection protects Symantec processes and internal objects from these attacks that non-Symantec processes such as worms, Trojan horses, viruses, and security risks could make. Note that in this circumstance, the tamper-protection bypass only allows altering a small amount of text in one element of the UI. |
MITIGATION
This issues listed above were validated by the product team engineers. A set of Symantec Endpoint Protection updates, versions SEP 12.1 RU6 MP9 and SEP 14 RU1, have been released which address the aforementioned issues. Please ensure you apply the necessary patches and upgrades accordingly. Symantec Endpoint Protection's latest releases are available to customers through normal support channels. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.
Note1: For customers running SEP 14, SEP 14 MP1 or SEP 14 MP2, only the low and medium severity issues articulated in the aforementioned advisory details affect the updated SEP 14 product line. The high severity issue does not impact any instances of SEP 14.
Note2: The aforementioned vulnerabilities only pertain to the SEP client. The SEPM manager is not affected.
Best Practices
Symantec recommends the following measures to reduce risk of attack:
- Restrict access to administrative or management systems to authorized privileged users.
- Restrict remote access to trusted/authorized systems only.
- Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
- Keep all operating systems and applications current with vendor patches.
- Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.
ACKNOWLEDGEMENTS
- Matthieu Buffet on behalf of ANSSI (CVE-2017-13681)
- Clément Lavoillotte @clavoillotte (CVE-2017-13680)
- John Page AKA hyp3rlinx Apparitionsec (CVE-2017-6331)
REVISION
- Minor edit on Nov 6th, 2017
- Added details on specific SEP endpoints
- Minor edit to adjust finder contact details