Symantec Encryption Management Server Multiple Security Issues

Encryption Management Server

0 more products

1346

05 March 2020

18 February 2016

CLOSED

MEDIUM

6.4

SUMMARY

 

The management console for Symantec Encryption Management Server (SEMS) is susceptible to potential OS command execution, local access elevation of privilege, a heap-based memory corruption resulting in a service crash and potential information disclosure of management console logon/account information.

AFFECTED PRODUCTS

 

Product

Version

Build

Solution(s)

Symantec Encryption Management Server

3.3.2 Prior to MP12

All

Update to SEMS 3.3.2 MP12

ISSUES

 

CVE

BID

Description

CVE-2015-8151

BID 83268

SEMS OS Remote Command Execution

CVE-2015-8150

BID 83269

SEMS Local Elevation of Privilege

CVE-2015-8149

BID 83270

SEMS Heap-based Memory Corruption LDAP Service Crash

CVE-2015-8148

BID 83271

SEMS Information Disclosure via LDAP Service

CVSS2 Base Score
 

Impact

Exploitability

CVSS2 Vector

SEMS OS Remote Command Execution - Medium

5.8

6.4

6.4

AV:N/AC:L/Au:M/C:P/I:P/A:P

SEMS Local Elevation of Privilege - Medium

6.3

10

2.2

AV:L/AC:M/Au:M/C:C/I:C/A:C

SEMS Heap-based Memory Corruption LDAP Service Crash - Medium

5.0

2.9

10

AV:N/AC:L/Au:N/C:N/I:N/A:P

SEMS Information Disclosure via LDAP Service - Medium

6.4

4.9

10

AV:N/AC:L/Au:N/C:P/I:P/A:N

 

CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org/cve), which standardizes identifiers for security problems.

BID: Symantec SecurityFocus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database.

MITIGATION

 

Symantec Encryption Management Server’s web administration interface was susceptible to command execution on the underlying operating system when an authorized but less-privileged administrator has console access. Input fields available through the server console did not properly filter arbitrary user input which could allow OS command execution with elevated privileges.

By leveraging the successful exploitation above, an unauthorized user could have scheduled arbitrary commands to run through existing batch files on the underlying operating system that normally run with root privileges. This could have resulted in additional privileged access to the server.

The LDAP service provided by Symantec Encryption Management Server was susceptible to heap memory corruption. Specially-crafted request packets could result in corrupted memory block headers leading to a SIGSEGV fault and service halt.

By successfully manipulating an LDAP request, it was possible for a user able to access the LDAP server to gather information on valid administrator accounts on the server. This information could potentially be used for further attempts to gain unauthorized access to the server or network.

Symantec Response 

Symantec product engineers have addressed these issues in Symantec Encryption Management Server 3.3.2 MP12. Customers should update to SEMS 3.3.2 MP12 as soon as possible to address these issues.

Symantec is not aware of exploitation of or adverse customer impact from this issue.

Update Information

Symantec Encryption Management Server 3.3.2 MP12 is available from Symantec File Connect.

Best Practices

As part of normal best practices, Symantec strongly recommends the following:

  • Restrict access to administrative or management systems to authorized privileged users.

  • Restrict remote access, if required, to trusted/authorized systems only.

  • Run under the principle of least privilege where possible to limit the impact of potential exploit.

  • Keep all operating systems and applications current with vendor patches.

  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.

  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

ACKNOWLEDGEMENTS

 

Symantec would like to thank Toby Reynolds and Rory McNamara with Gotham Digital Science for reporting CVE-2015-8149, 8150, 8151 and working very closely with Symantec as they were addressed. Symantec would also like to thank Harald Buck, Buck IT Consulting, for reporting CVE-2015-8148 and coordinating closely with Symantec as it was addressed.