Tag Archives: Symantec

Symantec Releases Security Updates for Messaging Gateway (SMG)

Early last week Symantec issued a security update for their Symantec Messaging Gateway (SMG) appliance versions 10.6 and 10.7. This update addresses two elevation of privilege vulnerabilities (defined) that were responsibly disclosed (defined) to Symantec. The first issue discussed below was disclosed to Symantec by karim reda Fakhir. The second issues was disclosed by Martin Carpenter with Citco.

Why Should These Issues Be Considered Important?
The first issue when exploited by an attacker could result in them obtaining the encrypted Active Directory (defined) password stored on the SMG appliance. Once they have obtained possession of the password they would need to reverse engineer (defined) it to reveal the actual password. As Symantec notes, the password would not provide the attacker with any further access to the SMG appliance than they would already have but it can potentially provide an attacker with elevated privileged to other devices on the same internal network as the SMG.

The second issue involves tampering with the code that is input/sent to the terminal window with the goal of escaping the current permissions of the logged in user to elevate those permissions to that of the root (defined) user. With these permissions an attacker can carry out any instructions/actions of their choice. As Symantec notes this includes code execution (carrying out actions of an attacker’s choice) or access to the management console of the SMG.

One mitigating factor for the second issue is that the management interface of the SMG is not usually accessible outside of the local network (namely not accessible to the wider/outside internet). This means that an attacker would first need to have already gained access to your corporate network using another means. Moreover; at this time Symantec is not aware of these issues being exploited.

How Can I Protect Myself From These Issues?
To address both of the above issues Symantec have issued a security advisory. This advisory details that the appropriate security update for SMG version 10.6 is available using the software update facility of the SMG.

This advisory provides further best practice advice to minimize the impact of these issues before you apply the necessary updates as well as hardening your SMG against other potential security issues.

If you make use of the affected Symantec corporate messaging gateways within your organization, please install the relevant updates as soon as possible.

Thank you.

Symantec Releases Security Updates for Endpoint Protection

On the 17th of March Symantec issued security updates to address 3 critical CVEs (defined) within their Endpoint Protection Manager and Endpoint Protection Client products. All versions prior to 12.1-RU6-MP4 are affected.

Why Should These Issues Be Considered Important?
Symantec Endpoint Protection Manager (SEPM) was found to be vulnerable to three security issues (discussed below):

The first issue was a cross-site request forgery vulnerability (defined here, here and here) caused by insufficient security checks. If exploited this issue could allow an attacker to execute arbitrary code (run or carry out any steps/instructions of their choice) with the permissions/access of the logged in user. This could result in the attacker obtaining unauthorized and/or elevated access to the Symantec Endpoint Protection Manager (SEPM) management console.

An SQL injection issue (defined) was found in SEPM which if exploited would again possibly allow an attacker to obtain unauthorized and/or elevated access (up to administrative level (defined) of access) to the Symantec Endpoint Protection Manager (SEPM) management console.

The final issue involves the Application and Device Control (ADC) installed on a Symantec Endpoint Protection client. Despite a previous security update this driver (defined) does not sufficiently validate external input. If an attacker were to exploit this, they could execute arbitrary code with the permissions/access of the logged on user. However, to exploit this, the attacker would first require the user to click on a malicious link or open a specifically crafted document. This link and/or document could be present on a website or received via email.

How Can I Protect Myself From These Issues?
Symantec issued a security advisory which contains details of the necessary updates to address these 3 critical issues which were responsibly disclosed (defined) to Symantec. Please note the download link for these updates requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of these issues within their advisory and to mitigate the third issue discussed above during the time before you apply the necessary updates.

If you make use of the affected Symantec corporate anti-malware products within your organization, please install the relevant updates as soon as possible.

Thank you.

Symantec Addresses Information Disclosure Issue within Endpoint Encryption Products

Earlier this month made available a security update to address a medium severity information disclosure issue (which was assigned one CVE (defined) number) within their Endpoint Encryption product (version 11.0 and earlier).

Why Should This Issue Be Considered Important?
The Symantec Endpoint Encryption (SEE) client (which would be installed on servers, workstations and laptops) was found to be vulnerable to a forced memory dump issue within the SEE Framework Service, (EACommunicatorSrv.exe). If an authorized but unprivileged user has access to a system with the vulnerable version of Endpoint Encryption installed, they could potentially obtain from the forced memory dump Domain user credentials of the SEE Management Server (SEEMS). Using these credentials, they could obtain unauthorized access to further systems using the management server.

How Can I Protect Myself From This Issue?
Symantec issued a security advisory which contains details of the necessary update to address this issue which was responsibly disclosed (defined) to Symantec. Please note the download link for this update requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of this issue within their advisory.

If you are using the affected Symantec corporate encryption product within your organization, please install the relevant update as soon as possible.

Thank you.

Symantec Issues Security Updates for Endpoint Protection Products

Early last week Symantec issued security updates to address 3 critical CVEs (defined) within their Endpoint Protection Manager and Endpoint Protection Client products.

Why Should These Issues Be Considered Important?
Symantec Endpoint Protection Manager (SEPM) was found to be vulnerable to arbitrary Java command execution if an unauthenticated (i.e. a person with no previous access to your Symantec EPM) could access the Java port of the EPM console. In addition, this server was found to not properly handle external data which could lead to code execution with elevated privileges.

The third and final vulnerability was located in the Symantec Endpoint Protection (SEP) clients; which were susceptible to a DLL preloading attack (defined). If an attacker had access to a client and placed a DLL of their choice into an install package for the client, this could have resulted in an attacker being able to run/execute code (allow code of their code to be carried out) of their choice but with System (defined) level privileges meaning that the code could cause a lot more damage than if it had only obtained administrative privileges.

How Can I Protect Myself From These Issues?
Symantec issued a security advisory which contains details of the necessary updates to address these 3 critical issues which were responsibly disclosed (defined) to Symantec. Please note the download link for these updates requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of these issues within their advisory. They have also released updated IPS (Intrusion Prevention System)(defined) signatures to prevent attempts to exploit the Java Code Execution Elevation of Privilege issue.

If you make use of the affected Symantec corporate anti-malware products within your organization, please install the relevant updates as soon as possible.

Thank you.