Vulnerabilities > CVE-2015-8113 - Incomplete Fix Binary Planting vulnerability in Symantec Endpoint Protection 11.0

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
symantec
nessus
NVD
Published: 2015-11-12
Updated: 2015-11-19

Summary

Untrusted search path vulnerability in the client in Symantec Endpoint Protection (SEP) 12.1 before 12.1-RU6-MP3 allows local users to gain privileges via a Trojan horse DLL in a client install package. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1492. <a href="http://cwe.mitre.org/data/definitions/426.html">CWE-426: Untrusted Search Path</a>

Vulnerable Configurations

Part Description Count
Application
Symantec
1

Nessus

NASL familyWindows
NASL idSYMANTEC_ENDPOINT_PROT_MGR_SYM15-011.NASL
descriptionThe version of Symantec Endpoint Protection Manager (SEPM) installed on the remote host is prior to 12.1 RU6 MP3. It is, therefore, affected by the following vulnerabilities : - A local privilege escalation vulnerability exists due to an untrusted search path flaw. A local attacker can exploit this, via a trojan DLL in a client install package, to gain privileges. (CVE-2015-1492, CVE-2015-8113) - A remote command execution vulnerability exists due to an unspecified flaw in the management console. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary Java commands. (CVE-2015-6554) - An arbitrary code execution vulnerability exists due to an unspecified flaw in the management console. An authenticated, remote attacker can exploit this by connecting to the console Java port, to execute arbitrary code with administrator privileges. (CVE-2015-6555)
last seen2020-06-01
modified2020-06-02
plugin id86873
published2015-11-13
reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/86873
titleSymantec Endpoint Protection Manager < 12.1 RU6 MP3 Multiple Vulnerabilities (SYM15-011)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(86873);
  script_version("1.11");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id(
    "CVE-2015-1492",
    "CVE-2015-6554",
    "CVE-2015-6555",
    "CVE-2015-8113"
  );
  script_bugtraq_id(
    76083,
    77494,
    77495
  );

  script_name(english:"Symantec Endpoint Protection Manager < 12.1 RU6 MP3 Multiple Vulnerabilities (SYM15-011)");
  script_summary(english:"Checks the SEPM version.");

  script_set_attribute(attribute:"synopsis", value:
"The version of Symantec Endpoint Protection Manager installed on the
remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Symantec Endpoint Protection Manager (SEPM) installed
on the remote host is prior to 12.1 RU6 MP3. It is, therefore,
affected by the following vulnerabilities :

  - A local privilege escalation vulnerability exists due to
    an untrusted search path flaw. A local attacker can
    exploit this, via a trojan DLL in a client install
    package, to gain privileges. (CVE-2015-1492,
    CVE-2015-8113)

  - A remote command execution vulnerability exists due to
    an unspecified flaw in the management console. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted request, to execute arbitrary Java
    commands. (CVE-2015-6554)

  - An arbitrary code execution vulnerability exists due to
    an unspecified flaw in the management console. An
    authenticated, remote attacker can exploit this by
    connecting to the console Java port, to execute
    arbitrary code with administrator privileges.
    (CVE-2015-6555)");
  # https://support.symantec.com/en_US/article.SYMSA1334.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?41466b33");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Symantec Endpoint Protection Manager 12.1 RU6 MP3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/11/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection_manager");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("symantec_endpoint_prot_mgr_installed.nasl");
  script_require_keys("installed_sw/Symantec Endpoint Protection Manager");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

app = 'Symantec Endpoint Protection Manager';

install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);

version = install['version'];
path    = install['path'   ];

fixed_ver = '12.1.6306.6300';

if (version =~ "^12\.1\." && ver_compare(ver:version, fix:fixed_ver, strict:FALSE) == -1)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : '+ path +
      '\n  Installed version : '+ version +
      '\n  Fixed version     : '+ fixed_ver +
      '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

References