Flaws in Symantec Endpoint Protection Could Allow Hackers to Compromise Corporate Networks
Researchers at penetration testing company Code White have identified several critical vulnerabilities in Symantec Endpoint Protection (SEP) 12.1. Experts say an attacker could exploit the security holes to gain access to an organization’s entire corporate network.
Code White discovered that the Symantec Endpoint Protection Manager (SEPM) is plagued by a total of six vulnerabilities. The list includes an authentication bypass (CVE-2015-1486), three path traversals (CVE-2015-1487, CVE-2015-1488, CVE-2015-1490), a privilege escalation (CVE-2015-1489), and multiple SQL injections (CVE-2015-1491). Researchers also found that SEP clients are plagued by a high severity binary planting flaw (CVE-2015-1492).
“In combination, [the vulnerabilities] effectively allow an unauthenticated attacker the execution of arbitrary commands with ‘NT AuthoritySYSTEM’ privileges on both the SEP Manager (SEPM) server, as well as on SEP clients running Windows. That can result in the full compromise of a whole corporate network,” Code White researchers said in a blog post.
According to experts, an attacker can compromise the SEPM server by first exploiting CVE-2015-1486 to access SEPM without authentication. Then, attackers could gain full access to the SEPM server by leveraging one of the path traversal bugs (CVE-2015-1487) and a privilege escalation weakness (CVE-2015-1489).
Full compromise of SEP clients can be achieved by exploiting the binary planting vulnerability, which allows the execution of arbitrary code with “NT AuthoritySYSTEM” privileges on Windows clients.
“We have successfully demonstrated that a centralized enterprise management solution like the Symantec Endpoint Protection suite is a critical asset in a corporate network as unauthorized access to the manager can have unforeseen influence on the managed clients,” Code White said.
Symantec has patched these vulnerabilities with the release of SEP 12.1 RU6 MP1. All prior versions of SEP 12.1 are affected.
Since proof-of-concept (PoC) code has been publicly released, users are advised to update their SEP installations as soon as possible. Those who are unable to update right away can apply mitigations recommended by Symantec. The security firm will also push out IPS signatures to detect and prevent attack attempts leveraging some of the vulnerabilities.
“In a recommended installation, the Symantec Endpoint Protection Manager server should never be accessible external to the network which still allows internal attack attempts from malicious less-privileged users but should restrict external attack attempts,” Symantec said in an advisory. “However, a malicious, non-authorized individual could leverage known methods of trust exploitations to compromise a client user in an attempt to gain network/system access. These exploitation attempts generally require enticing a previously authenticated user to access a malicious link in a context such as a web link or in an HTTP email.”
The company has pointed out that it hasn’t seen any exploitation attempts or adverse customer impact from these flaws.