The Bug
After discovering the bug, the researchers reported it to Symantec in August 2019, which the vendors confirmed the next day.
The Symantec Endpoint Protection Local Privilege Escalation (LPE) bug now tracked as CVE-2019-12758 requires potential attackers to have Administrator privileges to successfully exploit the issue.
While the threat level of this vulnerability is not immediately apparent, such bugs are commonly rated with medium and high severity CVSS 3.x base scores.
Hackers abuse DLL search-order hijacking issues such as this as part of multi-stage attacks after infiltrating a target's machine to elevate permissions to further compromise the device and to establish persistence.
Upon successful exploitation, it can be used "to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence, and privilege escalation by loading an arbitrary unsigned DLL into a process that is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.
Recently, Symantec has issued a fix for this vulnerability assigned with CVE number CVE-2019-12758.
The fix for the LPE flaw is already available with Symantec Endpoint Protection 14.2 RU2 release.
Hence, the users must ensure upgrading their systems to the patched version to stay protected from potential attacks.
Mitigation
The aforementioned issues were validated by product team engineers. The following product updates have been made available to customers to remediate these issues:
- SEP 14.2 RU1
- SEP 14.2 RU2
- SEPM 14.2 RU2
- SEP SBE 12.1 RU6 MP10d (12.1.7510.7002)
- SMSMSE 7.9.x (or apply the HF provided in the link)
The listed product updates are available to customers through normal support channels. At this time, Symantec is not aware of any exploitations or adverse customer impact from these issues.
Symantec recommends the following measures to reduce risk of attack:
- Restrict access to administrative or management systems to authorized privileged users.
- Restrict remote access to trusted/authorized systems only.
- Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
- Keep all operating systems and applications current with vendor patches.
- Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.
Reference:
Symantec Endpoint Protection Multiple Issues
https://support.symantec.com/us/en/article.SYMSA1488.html
To check all the Security Advisories: https://support.symantec.com/us/en/security-advisory.html