SEC Consult Vulnerability Lab Security Advisory < 20140218-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Symantec Endpoint Protection
vulnerable version: 11.0, 12.0, 12.1
fixed version: >=11.0.7405.1424
>=12.1.4023.4080
impact: Critical
CVE number: CVE-2013-5014, CVE-2013-5015
homepage: www.symantec.com
found: 2013-12-03
by: Stefan Viehböck
SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
"Symantec Endpoint Protection is a client-server solution that protects
laptops, desktops, Windows and Mac computers, and servers in your network
against malware. Symantec Endpoint Protection combines virus protection with
advanced threat protection to proactively secure your computers against known
and unknown threats.
Symantec Endpoint Protection protects against malware such as viruses, worms,
Trojan horses, spyware, and adware. It provides protection against even the
most sophisticated attacks that evade traditional security measures, such as
rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance
and high power, Symantec Endpoint Protection communicates over your network to
automatically safeguard for both physical systems and virtual systems against
attacks."
Source:
www.symantec.com/endpoint-protection
www.symantec.com/business/support/index
Business recommendation:
------------------------
Attackers are able to completely compromise the Endpoint Protection Manager
server as they can gain access at the system and database level.
Furthermore attackers can manage all endpoints and possibly deploy
attacker-controlled code on endpoints.
The Endpoint Protection Manager server can be used as an entry point into
the target infrastructure (lateral movement, privilege escalation).
It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
It is assumed that further critical vulnerabilities exist.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)
Multiple XXE vulnerabilities were found in the Endpoint Protection Manager
application. These vulnerabilities can be used to execute server side request
forgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,
possibly file disclosure as well as attacks against functionality that is only
exposed internally (see 2).
2) Unauthenticated local SQL injection (CVE-2013-5015)
The identified SQL injection vulnerability enables an unauthenticated attacker
to execute arbitrary commands on the underlying operating system with the
privileges of the SQL server service (SYSTEM). This was confirmed in the
default setup using the internal SQL server (SQL Anywhere). This vulnerability
can be used to exfiltrate database content (eg. usernames and password hashes)
as well (eg. on other DMBS).
As the vulnerable functionality is only available for requests coming from
localhost, the XXE vulnerability (see 1) can be used to exploit it remotely.
Note:
These vulnerabilities can be exploited via Cross-Site Request Forgery (CSRF)
as well. An attacker does not need direct network access to the vulnerable
application!
Proof of concept:
-----------------
1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)
The following request shows how XXE injection can be used to request arbitrary
resources. The affected functionality is available via TCP port 9090 (HTTP)
and 8443 (HTTPS).
Affected script: /servlet/ConsoleServlet
Detailed proof of concept exploits have been removed for this vulnerability.
2) Unauthenticated local SQL injection (CVE-2013-5015)
The following request exploits the SQL injection vulnerability to execute
arbitrary commands using the xp_cmdshell() system procedure (available in SQL
Anywhere), no authentication is needed but it only works when executed from
localhost.
Using the XXE vulnerability, SQL injection can be exploited via the local
network/Internet. The affected functionality is available via TCP port 9090
(HTTP) and 8443 (HTTPS).
Affected script: /servlet/ConsoleServlet
This vulnerability can be used to exfiltrate database content (eg. usernames
and password hashes) as well. All usernames and password hashes are stored
within the database as MD5 hash without salt.
Detailed proof of concept exploits have been removed for this vulnerability.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Endpoint Protection
version 12.1.4013, which was the most recent version at the time of discovery.
According to Symantec versions 11.0, 12.0 and 12.1 are affected.
Vendor contact timeline:
------------------------
2013-12-16: Sending advisory and proof of concept exploit via encrypted
channel.
2013-12-16: Vendor acknowledges receipt of advisory.
2014-01-09: Requesting status update and setting release date (2014-01-31).
2014-01-09: Vendor responds and wants to release update in "March timeframe"
2014-01-14: Clarifying reasons for accelerated disclosure (criticality,
increased expectations from European customers, ...) in compliance
with the SEC Consult Responsible Disclosure Policy.
2014-01-23: Contacting CERT teams (CERT-Bund Germany, CERT-CC and CERT.at).
2014-01-27: Conference call: extending advisory release date (2014-02-18).
2014-02-13: Symantec releases fixed versions.
2014-02-18: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to the most recent version (11.0.7405.1424 and 12.1.4023.4080) of
Symantec Endpoint Protection.
More information can be found at:
www.symantec.com/security_response/securityupdates/detail.jsp
www.symantec.com/business/support/index
Workaround:
-----------
No workaround available.
Advisory URL:
--------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehböck / @2014