Symantec Endpoint Protection Vulnerable to Self-Defense Bypassing Attacks

  • Symantec’s Endpoint Security belongs to the big group of security apps that don’t validate DLL files.
  • SafeBreach researchers have developed a proof of concept code that has numerous potential malicious uses.
  • All versions prior to 14.2 RU2 are vulnerable, so users are urged to update their products immediately.

As we promised yesterday, today we are revealing another crucial vulnerability which plagues a product from a reputable vendor. This vendor is Symantec, and the affected product is Endpoint Protection. The flaw that was discovered by SafeBreach Labs, who was kind enough to share it with us beforehand, is given the identifier “CVE-2019-12758”. The vulnerability is again based on the loading of an arbitrary unsigned DLL into a process that is signed by Symantec and runs as NT Authority\System. The practical implications of this include defense evasion, threat persistence, and privilege escalation potential.

Symantec Endpoint Protection is a security software suite that is deployed in many high-risk environments, helping administrators set up intrusion-prevention systems. It also provides firewall features that can help keep dangers outside server farms or desktop computers. The particular product is the most popular endpoint security solution out there, so we’re talking about a vulnerability that affects many thousands. As was the case with other security products that we discussed in the recent past, the Symantec Endpoint Protection software is running a signed process as NT Authority\System, trying to load a specific DLL file without any validation.

The SafeBreach team has developed a PoC (proof of concept) in the form of a 32-bit proxy DLL which can write the required filename, username, and parent process name, essentially turning Symantec’s software into a persistent threat for the victim. This is because an actor could execute any code they would like through the unsigned DLL, and have it run at maximum system privileges, completely bypassing the self-defense mechanism of the product. The root cause for this is again, the absence of any form of digital signature validation for the DLL file.

dll_parsing

SafeBreach reported the discovered vulnerability to Symantec on August 5, 2019, which the security company confirmed only a day after. Working on the release of a fix, however, took quite a while, with the fix finally arriving through a patch today. The affected versions are all going from 14.2 RU2 and older, so if you are running a vulnerable version you should update immediately. On that note, it is important to clarify that for the particular attack to work, the actor would need to have administrator privileges in the first place.

Do you have something to comment on the above? Feel free to share your thoughts with us in the section down below, or join the discussion on our socials, on Facebook and Twitter.

REVIEW OVERVIEW

Recent Articles

10 Best Ultrawide Gaming Monitors in 2020

Ultrawide monitors are a relatively new trend in the world of computers, mainly because the technology required to make them feasible was not mature...

More Than 15 Billion Stolen Credentials Are Circulating Out There

Stolen credentials are sold by the billions today, as we have about 185 data breaches per day. Almost one-third of the stolen...

Here’s What We Know About Kilos, the Biggest Dark Web Market

One of the most infamous sites on the Dark Web was a search engine known as "Grams." Launched in 2014, Grams allowed users to search...

Zoom Announced the Launch of Its “Hardware as a Service” Program

Zoom calls companies to consider renting teleconferencing equipment from them and launches a new program. The hardware manufacturers that will support the...

The U.S. Copyright Office Says Pirates Shouldn’t Lose Their Internet Connection

Breaking the law is condemnable, but barring someone out of the internet world is unconstitutional. The U.S. Copyright Office is calling the...