Multiple vulnerabilities in several Symantec Endpoint Protection products

Published: 2019-11-18 | Updated: 2019-11-18
Severity Low
Patch available YES
Number of vulnerabilities 5
CVE ID CVE-2019-12758
CVE-2019-12756
CVE-2019-18372
CVE-2019-12759
CVE-2019-12757
CWE ID CWE-693
CWE-287
CWE-264
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software Symantec Endpoint Protection Subscribe
Symantec Mail Security for Microsoft Exchange (SMSMSE)
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Small Business Edition
Vendor Symantec Corporation

Security Advisory

1) Protection Mechanism Failure

Severity: Low

CVSSv3: 3.1 [CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-12758

CWE-ID: CWE-693 - Protection Mechanism Failure

Description

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due to the application does not check for digital signatures when loading the "c:\Windows\SysWOW64\wbem\DSPARSE.dll" file that is not present on the system by default. A local administrator can place a malicious "DSPARSE.dll" and gain elevated privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Symantec Endpoint Protection: 11 MR1, 11 MR2, 11 MR2 MP1, 11 MR2 MP2, 11 MR3, 11 MR4, 11 MR4 MP1, 11 MR4 MP1a, 11 MR4 MP2, 11 RU5, 11 RU6, 11 RU6 MP1, 11 RU6 MP2, 11 RU6 MP3, 11 RU6a, 11 RU7, 11 RU7 MP1, 11 RU7 MP2, 11 RU7 MP3, 11 RU7 MP4, 11 RU7 MP4a, 11.0, 11.0.1, 11.0.2, 11.0.4, 12.0, 12.0 RTM, 12.0 RU1, 12.1, 12.1 RTM, 12.1 RU1, 12.1 RU1 MP1, 12.1 RU2, 12.1 RU2 MP1, 12.1 RU3, 12.1 RU4, 12.1 RU4 MP1, 12.1 RU5, 12.1 RU6, 12.1 RU6 MP4, 12.1 RU6 MP6, 12.1 RU6 MP7, 12.1 RU6 MP8, 12.1 RU6 MP9, 12.1 RU6 MP10, 12.1.6 MP9b, 12.1.6MP4, 14 MP1, 14 MP2, 14 RTM, 14 RU1, 14 RU1 MP1, 14 RU1 MP1a, 14 RU1 MP1b, 14 RU1 MP2, 14.0 MP2a, 14.2, 14.2 MP1, 14.2 RU1, 14.2 RU1 MP1

CPE External links

https://support.symantec.com/us/en/article.SYMSA1488.html

https://safebreach.com/Post/Symantec-Endpoint-Protection-Self-Defense-Bypass-and-Potential-Usages-CVE-2019-12758


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Improper Authentication

Severity: Low

CVSSv3: 2 [CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12756

CWE-ID: CWE-287 - Improper Authentication

Description

The vulnerability allows a local user to bypass authentication process.

The vulnerability exists due to a password protection bypass. A local administrator can bypass the secondary layer of password protection and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Symantec Endpoint Protection: 11 MR1, 11 MR2, 11 MR2 MP1, 11 MR2 MP2, 11 MR3, 11 MR4, 11 MR4 MP1, 11 MR4 MP1a, 11 MR4 MP2, 11 RU5, 11 RU6, 11 RU6 MP1, 11 RU6 MP2, 11 RU6 MP3, 11 RU6a, 11 RU7, 11 RU7 MP1, 11 RU7 MP2, 11 RU7 MP3, 11 RU7 MP4, 11 RU7 MP4a, 12.0 RTM, 12.0 RU1, 12.1 RTM, 12.1 RU1, 12.1 RU1 MP1, 12.1 RU2, 12.1 RU2 MP1, 12.1 RU3, 12.1 RU4, 12.1 RU4 MP1, 12.1 RU5, 12.1 RU6, 12.1 RU6 MP4, 12.1 RU6 MP6, 12.1 RU6 MP7, 12.1 RU6 MP8, 12.1 RU6 MP9, 12.1 RU6 MP10, 12.1.6MP4, 12.1.7454.7000, 14 MP1, 14 MP2, 14 RTM, 14 RU1, 14 RU1 MP1, 14 RU1 MP1a, 14 RU1 MP1b, 14 RU1 MP2, 14.0 MP2a, 14.2 MP1, 14.2 RU1, 14.2 RU1 MP1

CPE External links

https://support.symantec.com/us/en/article.SYMSA1488.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

Severity: Low

CVSSv3: 4.6 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18372

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper permission checks. A local user can compromise the software application and gain elevated privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Symantec Endpoint Protection: 11 MR1, 11 MR2, 11 MR2 MP1, 11 MR2 MP2, 11 MR3, 11 MR4, 11 MR4 MP1, 11 MR4 MP1a, 11 MR4 MP2, 11 RU5, 11 RU6, 11 RU6 MP1, 11 RU6 MP2, 11 RU6 MP3, 11 RU6a, 11 RU7, 11 RU7 MP1, 11 RU7 MP2, 11 RU7 MP3, 11 RU7 MP4, 11 RU7 MP4a, 12.0 RTM, 12.1, 12.1 RTM, 12.1 RU1, 12.1 RU1 MP1, 12.1 RU2, 12.1 RU2 MP1, 12.1 RU3, 12.1 RU4, 12.1 RU4 MP1, 12.1 RU5, 12.1 RU6, 12.1 RU6 MP4, 12.1 RU6 MP6, 12.1 RU6 MP7, 12.1 RU6 MP8, 12.1 RU6 MP9, 12.1 RU6 MP10, 12.1.6 MP9b, 12.1.6MP4, 12.1.7454.7000, 14 MP1, 14 MP2, 14 RTM, 14 RU1, 14 RU1 MP1, 14 RU1 MP1a, 14 RU1 MP1b, 14 RU1 MP2, 14.0 MP2a, 14.2, 14.2 MP1, 14.2 RU1, 14.2 RU1 MP1

CPE External links

https://support.symantec.com/us/en/article.SYMSA1488.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

Severity: Low

CVSSv3: 6.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12759

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper permission checks. A local user can compromise the software application and gain elevated privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Symantec Mail Security for Microsoft Exchange (SMSMSE): 7.5, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6

Symantec Endpoint Protection Manager: 12.1 RU2, 12.1 RU3, 12.1 RU4, 12.1 RU5, 12.1 RU6, 12.1 RU6 MP1, 12.1 RU6 MP2, 12.1 RU6 MP3, 12.1 RU6 MP4, 12.1 RU6 MP5, 12.1 RU6 MP6, 12.1 RU6 MP7, 12.1 RU6 MP8, 14 MP1, 14.0.0 MP2, 14.0.1, 14.0.1 MP1, 14.0.1 MP2, 14.2 MP1, 14.2 RU1

CPE External links

https://support.symantec.com/us/en/article.SYMSA1488.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Permissions, Privileges, and Access Controls

Severity: Low

CVSSv3: 6.4 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12757

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper permission checks. A local user can compromise the software application and gain elevated privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Symantec Endpoint Protection: 12.0, 12.0 RTM, 12.0 RU1, 12.1, 12.1 RTM, 12.1 RU1, 12.1 RU1 MP1, 12.1 RU2, 12.1 RU2 MP1, 12.1 RU3, 12.1 RU4, 12.1 RU4 MP1, 12.1 RU5, 12.1 RU6, 12.1 RU6 MP4, 12.1 RU6 MP6, 12.1 RU6 MP7, 12.1 RU6 MP8, 12.1 RU6 MP9, 12.1 RU6 MP10, 14.0 MP2a, 14.0 MP2a, 14.2, 14.2 MP1, 14.2 RU1, 14.2 RU1 MP1

Symantec Endpoint Protection Small Business Edition: 12.1.7266.6800, 12.1.7445.7000, 12.1.7454.7000, 12.1.7484.7002

CPE External links

https://support.symantec.com/us/en/article.SYMSA1488.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.