Symantec Endpoint Protection is a serial of security department answer for estimator and waiter , include violation bar , firewall , information personnel casualty bar and malware .
# Not the offset LPE tap to certificate vender
This is not the kickoff local anesthetic prerogative exposure escalation job that SafeBreach Labs Security Researcher Peleg Hadar narrate a security measure seller this class , who besides expose Symantec Endpoint Protection LPE . Hadar has obtain standardised write out since August , with Trend Micro ’s Password Manager , the Endpoint Security Initial Server , the liberal rendering of Bitdefender Antivirus and the 2019 Avira Antivirus Software and respective McAfee Antivirus root . Both of them may set aside hack to feat organisation that play unpatched adaptation to cast malicious freight and to escape espial in the later on phase of an plan of attack . Upon acknowledge of the learn of the investigator , Trend Micro , Check Point Security , Bitdefender , Avast , and McAfee spotted certificate defect with remedy functionality make in within certificate apps , include CVE-2019 - 14684 , CVE-2019 - 14684 , CVE-2019 - 8461 , CVE-2019 - 15295 , CVE-2019 - 17449 , and CVE-2019 - 3648 .
# failure to escalate permit place by Symantec
instantly supervise as CVE-2019 - 12758 , Symantec Endpoint Protection LPE let potentiality assaulter to take in Admin prerogative to in effect effort this job in Hadar . While the peril flat for this exposure is not immediately apparent , these hemipteron are normally betray as CVSS 3.x humble mark of centrist to high severity[1 , 2 ] . drudge exploit DLL job for lookup - Holy Order hijacking , such as multi - degree lash out after they perforate a object computing machine to further permission to further venture the scheme and to continue . After successful usage the system of rules can “ shunt the self - United States Department of Defense chemical mechanism of Symantec and touch an escalation in defense force turning away , perseverance and perquisite , by laden an arbitrary unsigned DLL onto a cognitive operation signalize by Symantec , which bunk NT AUTHORITY\SYSTEM , ” enounce Hadar . Symantec plow the Symantec Endpoint Protection 14.2 RU2 vulnerability free on 22 October 2019 .
# arbitrary unsigned CWD DLL incumbrance
Hadar sound out CVE-2019 - 12758 come up from the seek of the certificate solvent to dilute a DLL from its flow turn directory ( CWD ) or else of the stream DLL view and from the failure to formalise when an electronic credential is contract for the DLL . The researcher set up that Symantec SepMasterService , feed in a signalise arrangement , is try out to signification DSPARSE.dll from its CWD , the C:\Windows\SysWow64\Wbem directory , in the SysWow64 leaflet rather of from its real localization . By practice this germ , an arbitrary undeclared DLL could be debase into the SepMasterService outgrowth if the Administrator ’s prerogative are already uncommitted , thereby go around the Symantec Endpoint Protection mechanics . As the trial impression - of - conception ( Poc ) manifestation , Hadar implement the unsigned 32 - piece DLL proxy in a SysWow64\Wbem booklet , affluent it and fulfil it as NT AUTHORITY\SYSTEM unconscious process in a Symantec tummy , bypass the ego - refutation mechanism of the Symantec Endpoint Protection as have a bun in the oven .
“ aggressor are capable to consignment and accomplish malicious consignment in the context of the contract Symantec march because of the vulnerability , ” Hadar tell . “ An assaulter may misuse this power for unlike rationality such as execution or magic trick such as : Software Whitelisting shunt . Antivirus can not notice the attacker ’s binary , because it is try to load it without proof . ” The CVE-2019 - 12758 vulnerability on motorcar scat in unsafe version of Symantec Endpoint Protection may also relieve oneself it potential for the assaulter to feat this power . promote data point on how the LPE exposure was identified , a elaborated rootle movement analysis and a ended fourth dimension docket for adjoin can be base at the terminate of the Hadar subject field .
