[German]Symantec Endpoint Protection had two Local Privilege Escalation Vulnerabilities (LPE), CVE-2019-12757 and CVE-2019-12758, which the company closed in version 14.2 RU2.
Symantec Endpoint Protection is a suite of security solutions that includes intrusion prevention, firewall, data loss prevention, and anti-malware capabilities for desktop and server computers.
Local Privilege Escalation vulnerability CVE-2019-12758
Security researcher Peleg Hadar of SafeBreach Labs discovered the vulnerability that received CVE-2019-12758. Several components of the software run as a Windows service, which is executed as “NT AUTHORITY\SYSTEM” and has corresponding authorizations.
During an analysis, the security team encountered a service (SepMasterService) that belongs to Symantec Endpoint Protection and runs as a signed process and as NT AUTHORITY\SYSTEM. Security researchers have found that this service attempts to load the non-existent DLL listed below:
That’s a possible point of attack the security researchers used for an attack. They created their own file DSPARSE.dll and placed it in the folder. Administrator privileges are required for this. But if it works to load the own file DSPARSE.dll from the above mentioned folder by the service SepMasterService, the attack would be successful.
This would bypass the self-defence mechanism of the antivirus software. This is especially true because the Symantec Endpoint Protection software folders are protected by a mini-filter file system driver that even restricts write operations by an administrator. Normally, an administrator should therefore also be denied the right to save a non-existent DLL in the above folder in order to load it into Symantec’s processes.
Hadar’s security researchers had already successfully used this attack method with McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and McAfee Internet Security (MIS). I recently reported this in the blog post McAfee patches vulnerability in antivirus products.
Also with this attack the security researchers wrote a 32-bit proxy DLL, which writes certain parameters into a text file when called and logs the calls.
As expected, an arbitrary proxy DLL could be loaded (which could load another arbitrary DLL) into the above mentioned folder. And the proxy DLLs and subsequent DLLs were loaded, the code of the DLLs was then executed within the Symantec service process as NT AUTHORITY\SYSTEM. The protection mechanism of the Symantec program was therefore bypassed.
Affected Symantec EP versions, implications
In this article on SafeBreach Labs’ blog, security researcher Peleg Hadar describes the details and discusses further analyses. It outlines the potential impact of the vulnerability. This gives attackers the ability to load and execute malicious payloads as part of the Symantec signed process.
This capability can be misused by an attacker for various purposes, such as whitelisting bypass for applications. The vulnerability also allows attackers with administrative privileges to automatically load a malicious routine through Symantec services when Windows starts. The vulnerability affects all versions of Symantec Endpoint Protection prior to 14.2 RU2.
Symantec has fixed the vulnerability
Security researcher Peleg Hadar reported the vulnerability to Symantec on August 5, 2019 and received confirmation on August 6, 2019. A CVE identifier was issued on October 31. The CVE-2019-12758 vulnerability is fixed inSymantec Endpoint Protection 14.2 Version RU2. This version was released on October 22, 2019, as Bleeping Computer writes here. However, the last update of the site was on November 12, 2019.
Bleeping Computer writes here that Peleg Hadar has discovered similar vulnerabilities not only in Trend Micro, but also in Checkpoint Bitdefender Antivirus, Avira Antivirus 2019, Avast Antivirus and other vendors.
Further vulnerability CVE-2019-12757
Yesterday I came across the following tweet from Matt Nelsen, who uncovered another Local Privilege Escalation vulnerability CVE-2019-12757 in Symantec Endpoint Protection.
[Blog] CVE-2019–12757: Local Privilege Escalation in Symantec Endpoint Protection https://t.co/NB74Qkid8s
— Matt Nelson (@enigma0x3) November 15, 2019
The vulnerability affects Symantec Endpoint Protection version: 14.2 RU1 build 3335 (14.2.3335.1000) and below. Tested with Windows 10 1803. This vulnerability was found in collaboration with Marcus Sailler, Rick Romo and Gary Muller of the Capital Group Security Testing Team.
Matt Nelsen writes, that to reliably exploit this vulnerability, Symantec Endpoint Protection’s Tamper Protection feature must be disabled. According to him, this tamper protection is disabled in many companies. Nelson believes that this is a vulnerability, regardless of whether tamper protection is enabled or not.
If this tamper protection is disabled (it has seen various environments with this feature disabled or disabled), the exploitability of the vulnerability is high. If tamper protection is enabled, the vulnerability still exists, but the exploitability is much, much lower.
The details of the attack (which uses the task scheduler) or vulnerability are described here. The vulnerability was discovered on June 27, 2019 and reported to Symantec. This vulnerability was addressed in Symantec Endpoint Protection (SEP) 14.2 RU2 and Symantec Endpoint Protection Small Business Edition (SEP SBE) 12.1 RU6 MP10d as of November 14, 2019.