Vulnerabilities > CVE-2018-12238 - Unspecified vulnerability in Symantec Endpoint Protection and Endpoint Protection Cloud

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
symantec
nessus
NVD
Published: 2018-11-29
Updated: 2019-10-03

Summary

Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12.1.7454.7000 & 14.2; Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to NIS-22.15.1.8 & SEP-12.1.7454.7000; and Symantec Endpoint Protection Cloud (SEP Cloud) prior to 22.15.1 may be susceptible to an AV bypass issue, which is a type of exploit that works to circumvent one of the virus detection engines to avoid a specific type of virus protection. One of the antivirus engines depends on a signature pattern from a database to identify malicious files and viruses; the antivirus bypass exploit looks to alter the file being scanned so it is not detected.

Vulnerable Configurations

Part Description Count
Application
Symantec
283

Nessus

NASL familyWindows
NASL idSYMANTEC_ENDPOINT_PROT_CLIENT_SYMSA1468_1.NASL
descriptionThe version of Symantec Endpoint Protection (SEP) Client installed on the remote host is 12.1.x prior to 12.1.7454.7000 or 14.0.x prior to 14.2. It is, therefore, affected by multiple vulnerabilities: - An unspecified antivirus bypass vulnerability. (CVE-2018-12238) - An unspecified antivirus bypass vulnerability. (CVE-2018-12239) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id119616
published2018-12-13
reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/119616
titleSymantec Endpoint Protection Client 12.1.x < 12.1.7454.7000 / 14.x < 14.2 Multiple Vulnerabilities (SYMSA1468)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(119616);
  script_version("1.4");
  script_cvs_date("Date: 2019/11/01");

  script_cve_id("CVE-2018-12238", "CVE-2018-12239");
  script_bugtraq_id(105917, 105918);

  script_name(english:"Symantec Endpoint Protection Client 12.1.x < 12.1.7454.7000 / 14.x < 14.2 Multiple Vulnerabilities (SYMSA1468)");
  script_summary(english:"Checks the SEP Client version.");

  script_set_attribute(attribute:"synopsis", value:
"The Symantec Endpoint Protection Client installed on the remote host
is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Symantec Endpoint Protection (SEP) Client installed 
on the remote host is 12.1.x prior to 12.1.7454.7000 or 14.0.x prior
to 14.2. It is, therefore, affected by multiple vulnerabilities:

  - An unspecified antivirus bypass vulnerability. (CVE-2018-12238)

  - An unspecified antivirus bypass vulnerability. (CVE-2018-12239)

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  # https://support.symantec.com/en_US/article.SYMSA1468.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c1e347e");
  # https://support.symantec.com/en_US/article.TECH103088.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bcc5e230");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Symantec Endpoint Protection Client version
12.1.7454.7000 or 14.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12239");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/11/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("savce_installed.nasl");
  script_require_keys("Antivirus/SAVCE/version");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

app = 'Symantec Endpoint Protection Client';

display_ver = get_kb_item_or_exit('Antivirus/SAVCE/version');
edition = get_kb_item('Antivirus/SAVCE/edition');
if(get_kb_item('SMB/svc/ssSpnAv')) audit(AUDIT_INST_VER_NOT_VULN, "Symantec.cloud Endpoint Protection");

if (isnull(edition)) edition = '';
else if (edition == 'sepsb') app += ' Small Business Edition';

fixed_ver = NULL;

if (display_ver =~ "^12\.1\.")
  fixed_ver = '12.1.7454.7000';
else if (display_ver =~ "^14\.")
  fixed_ver = '14.2';
else
  audit(AUDIT_INST_VER_NOT_VULN, app, display_ver);

if (ver_compare(ver:display_ver, fix:fixed_ver, strict:FALSE) == -1)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  report =
    '\n  Product           : ' + app +
    '\n  Installed version : ' + display_ver +
    '\n  Fixed version     : ' + fixed_ver +
    '\n';
  security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);
}
else audit(AUDIT_INST_VER_NOT_VULN, app, display_ver);

References