---------------------------------------------------------------------- IRM Security Advisory No. 014 Sygate Protection Agent 5.0 vulnerability - A low privileged user can disable the security agent Vulnerablity Type / Importance: Security Protection Bypass / High Problem discovered: November 23rd 2005 Vendor contacted: November 23rd 2005 Advisory published: December 20th 2005 ---------------------------------------------------------------------- Abstract: The Sygate Protection Agent is one of the components within the Sygate Enterprise Protection software suite. The agent acts as a personal firewall and detects known Trojans, port scans and common attacks. When an attack is detected, the product can selectivley block traffic, services or applications. A vulnerability has been identified in the product that allows a low privileged user to disable the Security Protection Agent, which could place the system being protected at risk of attack. Description: There are two executable files in the installation path of the agent, Smc.exe and SmcGui.exe - there are no shortcuts directly created for the user. if a standard user double clicks on the smcgui.exe, which is the management interface (supposedly not accessible to standard users), the following error is displayed: "Serious problem reading transaction from pipe - probable loss of syncronisation a 6" and the GUI does not execute. However upon killing the process in Task Manager the Management GUI appears, the user has full access to the management interface and can therefore disable the security agent. Tested Versions: Sygate Protection Agent 5.0 (build 6144) Tested Operating Systems: Windows XP SP1 Windows XP Tablet PC edition Vendor & Patch Information: On November 23rd an email was sent to 'security-alert@sygate.com' and 'security@sygate.com', but both of these addresses bounced. IRM have submitted vulnerabilities to Sygate previously so the email was then sent to a specific individual at the company, but again, no response was received. As Sygate has been recently acquired by Symantec, an email was then sent to security@symantec.com. However, again, no responses were received. Workarounds: IRM are not aware of any workarounds for this issue. Credits: Research & Advisory: Mazin Faour and Andy Davis Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. A copy of this advisory may be found at: http://www.irmplc.com/advisories.htm ---------------------------------------------------------------------- Information Risk Management Plc. Kings Building, Smith Square, London, United Kingdom SW1P 3JJ +44 (0)207 808 6420