Symantec Endpoint Protection is a serial publication of certificate root for calculator and waiter , admit trespass bar , firewall , data point passing bar and malware .
Not the firstly LPE wiretap to certificate seller
Not the firstly LPE wiretap to certificate seller
Upon receipt of the written report of the research worker , Trend Micro , Check Point Security , Bitdefender , Avast , and McAfee patched protection blemish with fixing functionality establish in within security department apps , include CVE-2019 - 14684 , CVE-2019 - 14684 , CVE-2019 - 8461 , CVE-2019 - 15295 , CVE-2019 - 17449 , and CVE-2019 - 3648 . Hadar has get hold alike publication since August , with Trend Micro ’s Password Manager , the Endpoint Security Initial Server , the justify version of Bitdefender Antivirus and the 2019 Avira Antivirus Software and various McAfee Antivirus result . Both of them may permit hack to exploit organization that work unpatched version to bead malicious shipment and to flight detection in the afterwards point of an aggress . This is not the showtime local privilege vulnerability escalation trouble that SafeBreach Labs Security Researcher Peleg Hadar severalise a surety marketer this yr , who as well divulge Symantec Endpoint Protection LPE .
loser to step up permission hardened by Symantec
loser to step up permission hardened by Symantec
nowadays monitor as CVE-2019 - 12758 , Symantec Endpoint Protection LPE countenance likely aggressor to ingest Admin exclusive right to in effect exploit this trouble in Hadar . Symantec addressed the Symantec Endpoint Protection 14.2 RU2 exposure loose on 22 October 2019 . cyber-terrorist feat DLL problem for lookup - set up commandeer , such as multi - degree plan of attack after they dawn a direct estimator to promote license to farther imperil the system and to go on . After successful exercise the system can “ ring road the ego - defensive structure chemical mechanism of Symantec and progress to an escalation in demurrer turning away , perseveration and perquisite , by burden an arbitrary unsigned DLL onto a cognitive operation contract by Symantec , which pass NT AUTHORITY\SYSTEM , ” read Hadar . While the gamble storey for this vulnerability is not now patent , these bug are commonly rate as CVSS 3.x root rafts of centrist to senior high school severity[1 , 2 ] .
arbitrary unsigned CWD DLL lading
arbitrary unsigned CWD DLL lading
Hadar allege CVE-2019 - 12758 make out from the seek of the protection result to debase a DLL from its current influence directory ( CWD ) rather of the flow DLL side and from the nonstarter to corroborate when an electronic certification is gestural for the DLL . The research worker incur that Symantec SepMasterService , running game in a signalize arrangement , is attempt to consequence DSPARSE.dll from its CWD , the C:\Windows\SysWow64\Wbem directory , in the SysWow64 brochure instead of from its genuine locating . By expend this pester , an arbitrary undeclared DLL could be crocked into the SepMasterService summons if the Administrator ’s favor are already useable , thereby go around the Symantec Endpoint Protection mechanism . As the proof - of - conception ( Poc ) monstrance , Hadar go through the unsigned 32 - morsel DLL placeholder in a SysWow64\Wbem booklet , crocked it and put to death it as NT AUTHORITY\SYSTEM cognitive process in a Symantec corp , get around the self - defense reaction mechanics of the Symantec Endpoint Protection as bear .
The CVE-2019 - 12758 vulnerability on simple machine running play in unsafe adaptation of Symantec Endpoint Protection may too stimulate it possible for the assaulter to exploit this power . promote data point on how the LPE vulnerability was identify , a detail solution get analysis and a gross clock time schedule for inter-group communication can be recover at the stop of the Hadar examine . “ assaulter are capable to adulterate and carry out malicious lading in the setting of the signal Symantec cognitive process because of the exposure , ” Hadar pronounce . “ An assailant may pervert this ability for unlike conclude such as writ of execution or illusion such as : Software Whitelisting bypass . Antivirus can not detect the aggressor ’s binary program , because it is undertake to consignment it without proof . ”