A recent research conducted by Peleg Hadar, a Security Researcher at SafeBreach Labs, exposed a local code execution vulnerability in Symantec’s Endpoint Protection service. As per Hadar, this vulnerability allowed an attacker “to bypass Symantec’s self-defense mechanism and perform defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process that is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.”
Symantec Endpoint Protection has a host of security software solutions on offer as per various business needs. At present, it has the largest market-share for any endpoint security product. Thus, to avoid vulnerability exploitation and subsequent monetary losses, Symantec was quick to fix this issue.
The vulnerability can now be tracked as CVE-2019-12758. It requires an attacker to have Administrator rights to successfully exploit the issue reported. The overall severity of these type of issues is generally set from medium to high. Symantec has ranked it as a medium severity problem with a CVSS base score of 3.4. In its description of this vulnerability, Symantec also said that failed attempts to execute this arbitrary code may lead to denial-of-service conditions. As a source of information to all its customers, Symantec listed the technologies affected by this vulnerability. Following is the complete list issued:
- Symantec Endpoint Protection 11.0
- Symantec Endpoint Protection 12.0
- Symantec Endpoint Protection 12.1
- Symantec Endpoint Protection 12.1.1
- Symantec Endpoint Protection 12.1.2
- Symantec Endpoint Protection 12.1.3
- Symantec Endpoint Protection 12.1.4
- Symantec Endpoint Protection 12.1.5
- Symantec Endpoint Protection 12.1.6
- Symantec Endpoint Protection 14.0
- Symantec Endpoint Protection 14.2
- Symantec Endpoint Protection 14.2 RU1
To remediate this issue, it has recommended all its customers to upgrade to Symantec Endpoint Protection 14.2 RU2. Symantec also issued a list of other precautionary measures to avoid attacks.
- Restrict administrative access to authorized/privileged users.
- Restrict remote access to trusted/authorized systems only.
- Run under the principle of least privilege, wherever possible, limit the access privileges.
- Keep all operating systems and applications updates with latest vendor patches.
- Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems (IDS) to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.