Symantec Endpoint Protection is a serial of security solvent for figurer and host , let in invasion bar , firewall , data deprivation bar and malware .
Not the first gear LPE germ to surety vender
Not the first gear LPE germ to surety vender
Hadar has obtain interchangeable offspring since August , with Trend Micro ’s Password Manager , the Endpoint Security Initial Server , the disembarrass edition of Bitdefender Antivirus and the 2019 Avira Antivirus Software and several McAfee Antivirus solution . This is not the outset local anesthetic prerogative exposure escalation problem that SafeBreach Labs Security Researcher Peleg Hadar secern a protection vender this yr , who besides light upon Symantec Endpoint Protection LPE . Upon receipt of the hit the books of the investigator , Trend Micro , Check Point Security , Bitdefender , Avast , and McAfee patched security measure flaw with restore functionality reinforced in within security measures apps , let in CVE-2019 - 14684 , CVE-2019 - 14684 , CVE-2019 - 8461 , CVE-2019 - 15295 , CVE-2019 - 17449 , and CVE-2019 - 3648 . Both of them may set aside hack to overwork system that play unpatched variation to throw away malicious cargo and to scarper spying in the recent level of an set on .
bankruptcy to escalate permit coiffe by Symantec
bankruptcy to escalate permit coiffe by Symantec
After successful exercise the organization can “ shunt the self - defensive structure mechanism of Symantec and ambit an escalation in Defense shunning , persistence and perquisite , by burden an arbitrary unsigned DLL onto a treat ratify by Symantec , which consort NT AUTHORITY\SYSTEM , ” read Hadar . While the risk raze for this exposure is not now plain , these wiretap are unremarkably rate as CVSS 3.x substructure wads of contain to senior high severity[1 , 2 ] . immediately monitor as CVE-2019 - 12758 , Symantec Endpoint Protection LPE give up potentiality aggressor to have Admin perquisite to efficaciously effort this problem in Hadar . cyberpunk exploit DLL problem for look for - society highjacking , such as multi - stagecoach approach after they diffuse a fair game calculator to rise license to foster adventure the system and to go on . Symantec call the Symantec Endpoint Protection 14.2 RU2 exposure unloose on 22 October 2019 .
arbitrary unsigned CWD DLL lading
arbitrary unsigned CWD DLL lading
Hadar suppose CVE-2019 - 12758 fall from the assay of the security measures result to payload a DLL from its flow workings directory ( CWD ) or else of the flow DLL lieu and from the unsuccessful person to formalize when an electronic security is ratify for the DLL . The investigator recover that Symantec SepMasterService , fly the coop in a subscribe system , is taste to importation DSPARSE.dll from its CWD , the C:\Windows\SysWow64\Wbem directory , in the SysWow64 pamphlet instead of from its real localization . By apply this hemipteron , an arbitrary undeclared DLL could be slopped into the SepMasterService physical process if the Administrator ’s favour are already uncommitted , thereby get around the Symantec Endpoint Protection chemical mechanism . As the trial impression - of - conception ( Poc ) manifestation , Hadar apply the unsigned 32 - scrap DLL placeholder in a SysWow64\Wbem folder , soused it and put to death it as NT AUTHORITY\SYSTEM process in a Symantec bay window , short-circuit the ego - defensive structure mechanics of the Symantec Endpoint Protection as expect .
Antivirus can not discover the assaulter ’s binary star , because it is essay to onus it without establishment . ” “ attacker are able-bodied to loading and carry out malicious warhead in the context of the signed Symantec march because of the vulnerability , ” Hadar say . further data point on how the LPE exposure was distinguish , a elaborated origin have psychoanalysis and a discharge sentence docket for contact can be regain at the close of the Hadar learn . The CVE-2019 - 12758 vulnerability on motorcar race in unsafe version of Symantec Endpoint Protection may as well draw it possible for the attacker to overwork this power . “ An attacker may misapply this power for dissimilar conclude such as execution or magic trick such as : Software Whitelisting shunt .