Multiple critical vulnerabilities in Symantec Endpoint Protection

SEC Consult Vulnerability Lab Security Advisory < 20140218-0 >


title: Multiple critical vulnerabilities

product: Symantec Endpoint Protection

vulnerable version: 11.0, 12.0, 12.1

fixed version: >=11.0.7405.1424


impact: Critical

CVE number: CVE-2013-5014, CVE-2013-5015


found: 2013-12-03

by: Stefan Viehböck

SEC Consult Vulnerability Lab



Vendor description:


"Symantec Endpoint Protection is a client-server solution that protects

laptops, desktops, Windows and Mac computers, and servers in your network

against malware. Symantec Endpoint Protection combines virus protection with

advanced threat protection to proactively secure your computers against known

and unknown threats.

Symantec Endpoint Protection protects against malware such as viruses, worms,

Trojan horses, spyware, and adware. It provides protection against even the

most sophisticated attacks that evade traditional security measures, such as

rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance

and high power, Symantec Endpoint Protection communicates over your network to

automatically safeguard for both physical systems and virtual systems against




Business recommendation:


Attackers are able to completely compromise the Endpoint Protection Manager

server as they can gain access at the system and database level.

Furthermore attackers can manage all endpoints and possibly deploy

attacker-controlled code on endpoints.

The Endpoint Protection Manager server can be used as an entry point into

the target infrastructure (lateral movement, privilege escalation).

It is highly recommended by SEC Consult not to use this software until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.

It is assumed that further critical vulnerabilities exist.


Vulnerability overview/description:


1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)

Multiple XXE vulnerabilities were found in the Endpoint Protection Manager

application. These vulnerabilities can be used to execute server side request

forgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,

possibly file disclosure as well as attacks against functionality that is only

exposed internally (see 2).

2) Unauthenticated local SQL injection (CVE-2013-5015)

The identified SQL injection vulnerability enables an unauthenticated attacker

to execute arbitrary commands on the underlying operating system with the

privileges of the SQL server service (SYSTEM). This was confirmed in the

default setup using the internal SQL server (SQL Anywhere). This vulnerability

can be used to exfiltrate database content (eg. usernames and password hashes)

as well (eg. on other DMBS).

As the vulnerable functionality is only available for requests coming from

localhost, the XXE vulnerability (see 1) can be used to exploit it remotely.


These vulnerabilities can be exploited via Cross-Site Request Forgery (CSRF)

as well. An attacker does not need direct network access to the vulnerable



Proof of concept:


1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)

The following request shows how XXE injection can be used to request arbitrary

resources. The affected functionality is available via TCP port 9090 (HTTP)

and 8443 (HTTPS).

Affected script: /servlet/ConsoleServlet

Detailed proof of concept exploits have been removed for this vulnerability.


2) Unauthenticated local SQL injection (CVE-2013-5015)

The following request exploits the SQL injection vulnerability to execute

arbitrary commands using the xp_cmdshell() system procedure (available in SQL

Anywhere), no authentication is needed but it only works when executed from


Using the XXE vulnerability, SQL injection can be exploited via the local

network/Internet. The affected functionality is available via TCP port 9090

(HTTP) and 8443 (HTTPS).

Affected script: /servlet/ConsoleServlet


This vulnerability can be used to exfiltrate database content (eg. usernames

and password hashes) as well. All usernames and password hashes are stored

within the database as MD5 hash without salt.


Detailed proof of concept exploits have been removed for this vulnerability.


Vulnerable / tested versions:


The vulnerabilities have been verified to exist in Symantec Endpoint Protection

version 12.1.4013, which was the most recent version at the time of discovery.

According to Symantec versions 11.0, 12.0 and 12.1 are affected.


Vendor contact timeline:


2013-12-16: Sending advisory and proof of concept exploit via encrypted


2013-12-16: Vendor acknowledges receipt of advisory.

2014-01-09: Requesting status update and setting release date (2014-01-31).

2014-01-09: Vendor responds and wants to release update in "March timeframe"

2014-01-14: Clarifying reasons for accelerated disclosure (criticality,

increased expectations from European customers, ...) in compliance

with the SEC Consult Responsible Disclosure Policy.

2014-01-23: Contacting CERT teams (CERT-Bund Germany, CERT-CC and

2014-01-27: Conference call: extending advisory release date (2014-02-18).

2014-02-13: Symantec releases fixed versions.

2014-02-18: SEC Consult releases coordinated security advisory.




Update to the most recent version (11.0.7405.1424 and 12.1.4023.4080) of

Symantec Endpoint Protection.

More information can be found at:




No workaround available.


Advisory URL:




SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius


Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com




Interested in working with the experts of SEC Consult?

Write to

EOF Stefan Viehböck / @2014