Vulnerabilities / Threats
2/18/2014
02:58 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Critical Vulnerabilities Completely Compromise Symantec Endpoint Protection

SEC Consult Vulnerability Lab finds major flaws

PR Newswire -- February 18, 2014

VIENNA, February 18, 2014 /PRNewswire/ --

The award-winning [1] and longtime leader of Gartner report league tables [2]; Symantec Endpoint Protection, developed by the US-based Symantec Corp. (Nasdaq: SYMC), was shipped without removing several critical security vulnerabilities [3]. The vulnerabilities were discovered in a routine '99er' security crash test by experts of the SEC Consult Vulnerability Lab (http://www.sec-consult.com). In a 99er security crash test, SEC Consult white-hat experts evaluate the product security for the maximum of 99 working hours to determine if this specific release of a product can be compromised by attackers.

The unremoved vulnerabilities enable state-sponsored or criminal hackers to take full control of the 'Symantec Endpoint Protection Manager' server. With the full control of the server the attackers could obliterate the endpoint protection provided by the Symantec solution as they would have full access to the protection features of the endpoints. SEC Consult experts recommend immediately installing the update released by the vendor to counter these vulnerabilities [4].

Since mid-2012 SEC Consult has identified several critical vulnerabilities in other Symantec products during routine security tests. A Support Backdoor was identified in Symantec Messaging Gateway [5] and for the Symantec Web Gateway [6]. The vulnerabilities found enabled attackers to run commands with the privileges of the 'root' operating system user and to perform surveillance activities.

SEC Consult strongly advises that customers of Symantec products should demand from the vendor exhaustive security tests by (European) security experts before the implementation of the respective software product.

SEC Consult generally recommends routine security crash tests for standard software products to prevent the procurement of 'toxic' (i.e. heavily insecure) software. Toxic Software contains severe security vulnerabilities and poses a severe and highly probable risk to the confidentiality, availability and integrity of its owner.

Further technical information can be found in the SEC Consult Security Advisory [3].

[1] http://www.scawardseurope.com/2013-winners

[2] http://www.symantec.com/connect/blogs/symantec-named-leader-gartner-magic-quadrant-endpoint-protection-platforms-12-year-span

[3] https://www.sec-consult.com/de/Vulnerability-Lab/Advisories.htm

[4 ]http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00

[5] https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm#a99

[6] https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm#a131

For further information please contact: Johannes Greil Head of SEC Consult Vulnerability Lab Phone: +43189030430 research@sec-consult.com

SOURCE SEC Consult Security Advisory

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.