Symantec Norton Security DLL Library Path privileges management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.4 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, was found in Symantec Norton Security, Norton Internet Security and Norton Antivirus. The affected element is an unknown function of the component DLL Library Handler. Such manipulation leads to privileges management (Path). This vulnerability is traded as CVE-2016-5311. An attack has to be approached locally. There is no exploit available. Applying a patch is advised to resolve this issue.
Details
A vulnerability was found in Symantec Norton Security, Norton Internet Security and Norton Antivirus (Anti-Malware Software) (affected version not known) and classified as critical. Affected by this issue is some unknown functionality of the component DLL Library Handler. The manipulation with an unknown input leads to a privileges management vulnerability (Path). Using CWE to declare the problem leads to CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability.
The bug was discovered 11/22/2016. The weakness was shared 11/17/2016 by Herman Groeneveld (sh4d0wman) as SYM16-021 as confirmed security advisory (Website). The advisory is shared for download at symantec.com. The vendor cooperated in the coordination of the public release. This vulnerability is handled as CVE-2016-5311 since 06/06/2016. The exploitation is known to be easy. The attack needs to be approached locally. A simple authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068. The advisory points out:
Norton products and SEPSBE/SEPC clients are susceptible to a potential DLL-preloading issue resulting from improper path restrictions. This could cause one of the application libraries to explicitly load a third-party system DLL without specifying an absolute path. An authorized but malicious user with access to a client could potentially insert a specially crafted file using the same name as the specified DLL into one of the susceptible folders or a network share. In most situations, the arbitrary code would run with user-level privileges. However, during installation or uninstallation processes, arbitrary code could run with system privileges
The vulnerability scanner Nessus provides a plugin with the ID 96045 (Symantec Endpoint Protection Client < 22.8.0.50 Elevation of Privilege (SYM16-021)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows and running in the context l.
Applying the patch NGC 22.7 is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. The security advisory contains the following remark:
Product engineers have addressed this vulnerability through a client update delivered to Norton products and SEPSBE/SEPC clients via LiveUpdate along with normal definition and signature updates.
The vulnerability is also documented in the databases at Tenable (96045) and SecurityFocus (BID 94295†). The entry VDB-93703 is related to this item. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
License
Website
- Vendor: https://www.symantec.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 7.4
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: PathClass: Privileges management / Path
CWE: CWE-269 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 96045
Nessus Name: Symantec Endpoint Protection Client < 22.8.0.50 Elevation of Privilege (SYM16-021)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: NGC 22.7
Timeline
06/06/2016 🔍11/17/2016 🔍
11/17/2016 🔍
11/17/2016 🔍
11/20/2016 🔍
11/22/2016 🔍
12/21/2016 🔍
10/04/2022 🔍
Sources
Vendor: symantec.comAdvisory: SYM16-021
Researcher: Herman Groeneveld (sh4d0wman)
Status: Confirmed
Coordinated: 🔍
CVE: CVE-2016-5311 (🔍)
GCVE (CVE): GCVE-0-2016-5311
GCVE (VulDB): GCVE-100-93704
SecurityFocus: 94295 - Multiple Symantec Products CVE-2016-5311 DLL Loading Local Privilege Escalation Vulnerability
SecurityTracker: 1037323
See also: 🔍
Entry
Created: 11/20/2016 11:20Updated: 10/04/2022 10:05
Changes: 11/20/2016 11:20 (50), 06/07/2019 16:18 (14), 10/04/2022 10:01 (2), 10/04/2022 10:05 (18)
Complete: 🔍
Cache ID: 216:E11:103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.