Symantec has released an update for its Symantec Endpoint Protection (SEP) to resolve three High risk security vulnerabilities in the product.
According to an advisory, the security flaws in Symantec Endpoint Protection could potentially result in authorized users with low privileges gaining elevated access to the Management Console. Moreover, the security firm warns that SEP Client security mitigations could be bypassed to achieve arbitrary code execution on a targeted client.
The first of the three security issues is a cross-site request forgery vulnerability in the management console for SEPM (CVE-2015-8152), caused by an insufficient security check in SEPM. An authorized but less-privileged user could gain unauthorized elevated access to the SEPM management console by including arbitrary code in authorized logging scripts.
In addition to the CSRF issue, Symantec resolved an SQL injection vulnerability in SEPM (CVE-2015-8153). This security flaw can also be exploited by an authorized, logged-in user to potentially elevate access to administrative level on the application.
The third security flaw (CVE-2015-8154) affects the SysPlant.sys driver in Windows, which is loaded as part of the Application and Device Control (ADC) component on a SEP client, provided that ADC is installed and enabled on the client. A successful bypass of security controls could result in arbitrary code execution on a client system with logged-on user privileges, Symantec noted.
To exploit this vulnerability, an attacker could use known methods of trust exploitation that require interaction from an authenticated user, such as clicking on a malicious link or opening a malicious document, either on a website or in an email. The issue affects only customers using ADC and can be mitigated by disabling ADC driver or by uninstalling ADC in SEP.
With CVSS2 Base Scores of 8.5 and 7.9, respectively, the CVE-2015-8152 and CVE-2015-8153 vulnerabilities were discovered by Kaspersky Lab’s Anatoly Katyushin. Featuring a CVSS2 Base Score of 8.5, CVE-2015-8154 was discovered by the enSilo Research Team.
All three security flaws were found in Symantec Endpoint Protection version 12.1 and have been resolved in SEP 12.1-RU6-MP4. SEP customers are advised to update to the new product release as soon as possible to remain protected.
Last August, Symantec resolved several Critical vulnerabilities in SEP 12.1 that could have allowed an attacker to gain access to an organization’s entire corporate network. The list of flaws included an authentication bypass, three path traversals, a privilege escalation, and multiple SQL injections.