Symantec Endpoint Protection up to 12.1 RU6 MP6 Client input validation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.5 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Symantec Endpoint Protection up to 12.1 RU6 MP6. It has been classified as critical. The impacted element is an unknown function of the component Client. This manipulation causes input validation. This vulnerability appears as CVE-2016-9093. The attack requires local access. There is no available exploit. It is suggested to install a patch to address this issue.
Details
A vulnerability has been found in Symantec Endpoint Protection up to 12.1 RU6 MP6 (Anti-Malware Software) and classified as critical. Affected by this vulnerability is an unknown code block of the component Client. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality, integrity, and availability.
The bug was discovered 03/06/2017. The weakness was presented 03/06/2017 by Alexandre Gazet with Air Bus Group as SYM17-002 as confirmed security response (Website). The advisory is shared at symantec.com. The public release was coordinated in cooperation with Symantec. This vulnerability is known as CVE-2016-9093 since 10/28/2016. The exploitation appears to be difficult. An attack has to be approached locally. The requirement for exploitation is a single authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The advisory points out:
A version of the SymEvent Driver that shipped with Symantec Endpoint Protection 12.1 RU6 MP6 and earlier fails to properly sanitize logged-in user input. SEP 14.0 and later are not impacted by this issue.
The vulnerability scanner Nessus provides a plugin with the ID 97661 (Symantec Endpoint Protection Client 12.1.x < 12.1 RU6 MP7 Local Privilege Escalation (SYM17-002)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 370326 (Symantec Endpoint Protection Clients Multiple Vulnerabilities.(SYM17-002)). The advisory illustrates:
A non-admin user would need to be able to save an executable file to disk and then be able to successfully run that file. If properly constructed, the file could access the driver interface and potentially manipulate certain system calls. On all 32-bit systems and in most cases on 64-bit systems, this will result in a denial of service that will crash the system. In very narrow circumstances, and on 64-bit systems only, this could allow the user to run arbitrary code on the local machine with kernel-level privileges. This could result in a non-privileged user gaining privileged access on the local machine.
Applying the patch 12.1 RU6 MP6 is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Tenable (97661), SecurityFocus (BID 96294†) and SecurityTracker (ID 1037961†). See VDB-97754 for similar entry. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.symantec.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.8VulDB Meta Temp Score: 6.7
VulDB Base Score: 6.7
VulDB Temp Score: 6.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
Vendor Base Score (Symantec): 6.7
Vendor Vector (Symantec): 🔍
NVD Base Score: 7.0
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Input validationCWE: CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 97661
Nessus Name: Symantec Endpoint Protection Client 12.1.x < 12.1 RU6 MP7 Local Privilege Escalation (SYM17-002)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: 12.1 RU6 MP6
Timeline
10/28/2016 🔍03/06/2017 🔍
03/06/2017 🔍
03/06/2017 🔍
03/06/2017 🔍
03/07/2017 🔍
03/10/2017 🔍
03/10/2017 🔍
04/16/2018 🔍
08/18/2020 🔍
Sources
Vendor: symantec.comAdvisory: SYM17-002
Researcher: Alexandre Gazet
Organization: Air Bus Group
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2016-9093 (🔍)
GCVE (CVE): GCVE-0-2016-9093
GCVE (VulDB): GCVE-100-97753
SecurityFocus: 96294 - Symantec Endpoint Protection Client CVE-2016-9093 Local Privilege Escalation Vulnerability
OSVDB: - CVE-2016-9093 - Symantec - Endpoint Protection - Code Execution Issue
SecurityTracker: 1037961
See also: 🔍
Entry
Created: 03/10/2017 08:05Updated: 08/18/2020 11:43
Changes: 03/10/2017 08:05 (91), 08/18/2020 11:43 (6)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.