Tag Archives: Symantec Endpoint Protection

Symantec Releases Security Updates for Endpoint Protection

On the 17th of March Symantec issued security updates to address 3 critical CVEs (defined) within their Endpoint Protection Manager and Endpoint Protection Client products. All versions prior to 12.1-RU6-MP4 are affected.

Why Should These Issues Be Considered Important?
Symantec Endpoint Protection Manager (SEPM) was found to be vulnerable to three security issues (discussed below):

The first issue was a cross-site request forgery vulnerability (defined here, here and here) caused by insufficient security checks. If exploited this issue could allow an attacker to execute arbitrary code (run or carry out any steps/instructions of their choice) with the permissions/access of the logged in user. This could result in the attacker obtaining unauthorized and/or elevated access to the Symantec Endpoint Protection Manager (SEPM) management console.

An SQL injection issue (defined) was found in SEPM which if exploited would again possibly allow an attacker to obtain unauthorized and/or elevated access (up to administrative level (defined) of access) to the Symantec Endpoint Protection Manager (SEPM) management console.

The final issue involves the Application and Device Control (ADC) installed on a Symantec Endpoint Protection client. Despite a previous security update this driver (defined) does not sufficiently validate external input. If an attacker were to exploit this, they could execute arbitrary code with the permissions/access of the logged on user. However, to exploit this, the attacker would first require the user to click on a malicious link or open a specifically crafted document. This link and/or document could be present on a website or received via email.

How Can I Protect Myself From These Issues?
Symantec issued a security advisory which contains details of the necessary updates to address these 3 critical issues which were responsibly disclosed (defined) to Symantec. Please note the download link for these updates requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of these issues within their advisory and to mitigate the third issue discussed above during the time before you apply the necessary updates.

If you make use of the affected Symantec corporate anti-malware products within your organization, please install the relevant updates as soon as possible.

Thank you.

Symantec Issues Security Updates for Endpoint Protection Products

Early last week Symantec issued security updates to address 3 critical CVEs (defined) within their Endpoint Protection Manager and Endpoint Protection Client products.

Why Should These Issues Be Considered Important?
Symantec Endpoint Protection Manager (SEPM) was found to be vulnerable to arbitrary Java command execution if an unauthenticated (i.e. a person with no previous access to your Symantec EPM) could access the Java port of the EPM console. In addition, this server was found to not properly handle external data which could lead to code execution with elevated privileges.

The third and final vulnerability was located in the Symantec Endpoint Protection (SEP) clients; which were susceptible to a DLL preloading attack (defined). If an attacker had access to a client and placed a DLL of their choice into an install package for the client, this could have resulted in an attacker being able to run/execute code (allow code of their code to be carried out) of their choice but with System (defined) level privileges meaning that the code could cause a lot more damage than if it had only obtained administrative privileges.

How Can I Protect Myself From These Issues?
Symantec issued a security advisory which contains details of the necessary updates to address these 3 critical issues which were responsibly disclosed (defined) to Symantec. Please note the download link for these updates requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of these issues within their advisory. They have also released updated IPS (Intrusion Prevention System)(defined) signatures to prevent attempts to exploit the Java Code Execution Elevation of Privilege issue.

If you make use of the affected Symantec corporate anti-malware products within your organization, please install the relevant updates as soon as possible.

Thank you.