SEC Consult Vulnerability Lab Security Advisory < 20140218-0 > ======================================================================= title: Multiple critical vulnerabilities product: Symantec Endpoint Protection vulnerable version: 11.0, 12.0, 12.1 fixed version: >=11.0.7405.1424 >=12.1.4023.4080 impact: Critical CVE number: CVE-2013-5014, CVE-2013-5015 homepage: http://www.symantec.com found: 2013-12-03 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. Symantec Endpoint Protection protects against malware such as viruses, worms, Trojan horses, spyware, and adware. It provides protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance and high power, Symantec Endpoint Protection communicates over your network to automatically safeguard for both physical systems and virtual systems against attacks." Source: https://www.symantec.com/endpoint-protection https://www.symantec.com/business/support/index?page=content&id=DOC6153 Business recommendation: ------------------------ Attackers are able to completely compromise the Endpoint Protection Manager server as they can gain access at the system and database level. Furthermore attackers can manage all endpoints and possibly deploy attacker-controlled code on endpoints. The Endpoint Protection Manager server can be used as an entry point into the target infrastructure (lateral movement, privilege escalation). It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that further critical vulnerabilities exist. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014) Multiple XXE vulnerabilities were found in the Endpoint Protection Manager application. These vulnerabilities can be used to execute server side request forgery (SSRF) attacks used for portscanning/fingerprinting, denial of service, possibly file disclosure as well as attacks against functionality that is only exposed internally (see 2). 2) Unauthenticated local SQL injection (CVE-2013-5015) The identified SQL injection vulnerability enables an unauthenticated attacker to execute arbitrary commands on the underlying operating system with the privileges of the SQL server service (SYSTEM). This was confirmed in the default setup using the internal SQL server (SQL Anywhere). This vulnerability can be used to exfiltrate database content (eg. usernames and password hashes) as well (eg. on other DMBS). As the vulnerable functionality is only available for requests coming from localhost, the XXE vulnerability (see 1) can be used to exploit it remotely. Note: These vulnerabilities can be exploited via Cross-Site Request Forgery (CSRF) as well. An attacker does not need direct network access to the vulnerable application! Proof of concept: ----------------- 1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014) The following request shows how XXE injection can be used to request arbitrary resources. The affected functionality is available via TCP port 9090 (HTTP) and 8443 (HTTPS). Affected script: /servlet/ConsoleServlet Detailed proof of concept exploits have been removed for this vulnerability. 2) Unauthenticated local SQL injection (CVE-2013-5015) The following request exploits the SQL injection vulnerability to execute arbitrary commands using the xp_cmdshell() system procedure (available in SQL Anywhere), no authentication is needed but it only works when executed from localhost. Using the XXE vulnerability, SQL injection can be exploited via the local network/Internet. The affected functionality is available via TCP port 9090 (HTTP) and 8443 (HTTPS). Affected script: /servlet/ConsoleServlet This vulnerability can be used to exfiltrate database content (eg. usernames and password hashes) as well. All usernames and password hashes are stored within the database as MD5 hash without salt. Detailed proof of concept exploits have been removed for this vulnerability. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in Symantec Endpoint Protection version 12.1.4013, which was the most recent version at the time of discovery. According to Symantec versions 11.0, 12.0 and 12.1 are affected. Vendor contact timeline: ------------------------ 2013-12-16: Sending advisory and proof of concept exploit via encrypted channel. 2013-12-16: Vendor acknowledges receipt of advisory. 2014-01-09: Requesting status update and setting release date (2014-01-31). 2014-01-09: Vendor responds and wants to release update in "March timeframe" 2014-01-14: Clarifying reasons for accelerated disclosure (criticality, increased expectations from European customers, ...) in compliance with the SEC Consult Responsible Disclosure Policy. 2014-01-23: Contacting CERT teams (CERT-Bund Germany, CERT-CC and CERT.at). 2014-01-27: Conference call: extending advisory release date (2014-02-18). 2014-02-13: Symantec releases fixed versions. 2014-02-18: SEC Consult releases coordinated security advisory. Solution: --------- Update to the most recent version (11.0.7405.1424 and 12.1.4023.4080) of Symantec Endpoint Protection. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00 http://www.symantec.com/business/support/index?page=content&id=TECH214866 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehböck / @2014