Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Symantec Endpoint Protection Privilege Escalation Zero Day - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Symantec Endpoint Protection Privilege Escalation Zero Day

The people at Offensive Security have announced that in the course of a penetration test for one of their customers they have found several vulnerabilities in the Symantec Endpoint Protection product. While details are limited, the vulnerabilities appear to permit privilege escalation to the SYSTEM user which would give virtually unimpeded access to the system.  Offensive Security has posted a video showing the exploitation of one of the vulnerabilities.

Symantec has indicated they are aware of the vulnerabilities and are investigating.

There is some irony in the fact that there are Zero Day vulnerabilities in the software that a large portion of users count on to protect their computer from malware and software vulnerabilities. The fact is that software development is hard and even security software is not immune from exploitable vulnerabilities. If there is a bright side, it appears that there are no exploits in the wild yet and that local access to the machine is required to exploit these vulnerabilities.

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

293 Posts
ISC Handler
I just experienced an OS (win8)crash while watching the video created by the hacker. Maybe this is an isolated event. Maybe something more sinister....
GordonM

14 Posts
Symantec has a KB article published. However, this means shutting down application and device control and then pushing it out again later when a permanent fix arrives.
Not really a nice thing in a large setup.

This KB is being updated, follow it.
http://www.symantec.com/docs/TECH223338
Michael

32 Posts
Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1b (RU4 MP1b) is now available to address this vulnerability. This is a client only patch, the Endpoint Protection Server does not need to be updated.
See
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00
Michael

32 Posts
Is anyone else not able to install this update on Windows Server 2003? None of my legacy servers took the update.
NickH

1 Posts
This is not an issue with the update at all. You need to check your root certificates. We have updated a couple of servers successfully.
Refer to this knowledge base article and all will be well.
http://www.symantec.com/business/support/index?page=content&id=TECH218029
Michael

32 Posts

Sign Up for Free or Log In to start participating in the conversation!