Vulnerabilities > CVE-2018-12245 - Untrusted Search Path vulnerability in Symantec Endpoint Protection

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

symantec

CWE-426

nessus

NVD

Published: 2018-11-29

Updated: 2018-12-28

Summary

Symantec Endpoint Protection prior to 14.2 MP1 may be susceptible to a DLL Preloading vulnerability, which in this case is an issue that can occur when an application being installed unintentionally loads a DLL provided by a potential attacker. Note that this particular type of exploit only manifests at install time; no remediation is required for software that has already been installed. This issue only impacted the Trialware media for Symantec Endpoint Protection, which has since been updated.

Vulnerable Configurations

Part	Description	Count
Application	Symantec Symantec Endpoint Protection 11.0 Symantec Endpoint Protection 11.0.1 Symantec Endpoint Protection 11.0.2 Symantec Endpoint Protection 11.0.4 Symantec Endpoint Protection 11.0.7 Symantec Endpoint Protection 11.0.7.1 Symantec Endpoint Protection 11.0.7.2 Symantec Endpoint Protection 11.0.7.3 Symantec Endpoint Protection 11.0.3001 Symantec Endpoint Protection 11.0.6000 Symantec Endpoint Protection 11.0.6100 Symantec Endpoint Protection 11.0.6200 Symantec Endpoint Protection 11.0.6200.754 Symantec Endpoint Protection 11.0.6300 Symantec Endpoint Protection 11.0.7000 Symantec Endpoint Protection 11.0.7100 Symantec Endpoint Protection 12.0 Symantec Endpoint Protection 12.0.122.192 Symantec Endpoint Protection 12.0.1001.95 Symantec Endpoint Protection 12.1 Symantec Endpoint Protection 12.1.1 Symantec Endpoint Protection 12.1.1.1 Symantec Endpoint Protection 12.1.2 Symantec Endpoint Protection 12.1.2.1 Symantec Endpoint Protection 12.1.3 Symantec Endpoint Protection 12.1.4 Symantec Endpoint Protection 12.1.4.1 Symantec Endpoint Protection 12.1.4.1A Symantec Endpoint Protection 12.1.4.1B Symantec Endpoint Protection 12.1.4A Symantec Endpoint Protection 12.1.5 Symantec Endpoint Protection 12.1.6 Symantec Endpoint Protection 12.1.671 Symantec Endpoint Protection 12.1.671.4971 Symantec Endpoint Protection 12.1.1000 Symantec Endpoint Protection 12.1.1000.157 Symantec Endpoint Protection 12.1.1101.401 Symantec Endpoint Protection 12.1.2015.2015 Symantec Endpoint Protection 12.1.2100.2093 Symantec Endpoint Protection 12.1.3001.165 Symantec Endpoint Protection 12.1.4013.4013 Symantec Endpoint Protection 12.1.4023.4080 Symantec Endpoint Protection 12.1.4100.4126 Symantec Endpoint Protection 12.1.4104.4130 Symantec Endpoint Protection 12.1.4112.4156 Symantec Endpoint Protection 12.1.5337.5000 Symantec Endpoint Protection 12.1.6168.6000 Symantec Endpoint Protection 12.1.6306.6100 Symantec Endpoint Protection 12.1.6318.6100 Symantec Endpoint Protection 12.1.6465.6200 Symantec Endpoint Protection 12.1.6608.6300 Symantec Endpoint Protection 12.1.6867.6400 Symantec Endpoint Protection 12.1.7004.6500 Symantec Endpoint Protection 12.1.7061.6600 Symantec Endpoint Protection 12.1.7166.6700 Symantec Endpoint Protection 12.1.7266.6800 Symantec Endpoint Protection 12.1.7369.6900 Symantec Endpoint Protection 12.1.7384.6902 Symantec Endpoint Protection 12.1.7385.6902 Symantec Endpoint Protection 12.1.7445.7000 Symantec Endpoint Protection 12.1.7454.7000 Symantec Endpoint Protection 12.1.7510.7002 Symantec Endpoint Protection 14 Symantec Endpoint Protection 14.0 Symantec Endpoint Protection 14.0.0 Symantec Endpoint Protection 14.0.1 Symantec Endpoint Protection 14.2	221

Common Weakness Enumeration (CWE)

CWE-426 - Untrusted Search Path

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

NASL family	Windows
NASL id	SYMANTEC_ENDPOINT_PROT_CLIENT_SYMSA1468_2.NASL
description	The version of Symantec Endpoint Protection (SEP) Client installed on the remote host is 12.1.x or 14.x prior to 14.2 MP1. It is, therefore, affected by an unspecified DLL preloading vulnerability. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	119617
published	2018-12-13
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/119617
title	Symantec Endpoint Protection Client 12.1.x / 14.x < 14.2 MP1 DLL Preloading Vulnerability (SYMSA1468)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(119617); script_version("1.4"); script_cvs_date("Date: 2019/11/01"); script_cve_id("CVE-2018-12245"); script_bugtraq_id(105919); script_name(english:"Symantec Endpoint Protection Client 12.1.x / 14.x < 14.2 MP1 DLL Preloading Vulnerability (SYMSA1468)"); script_summary(english:"Checks the SEP Client version."); script_set_attribute(attribute:"synopsis", value: "The Symantec Endpoint Protection Client installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Symantec Endpoint Protection (SEP) Client installed on the remote host is 12.1.x or 14.x prior to 14.2 MP1. It is, therefore, affected by an unspecified DLL preloading vulnerability. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://support.symantec.com/en_US/article.SYMSA1468.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c1e347e"); # https://support.symantec.com/en_US/article.TECH103088.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bcc5e230"); script_set_attribute(attribute:"solution", value: "Upgrade to Symantec Endpoint Protection Client version 14.2 MP1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12245"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("savce_installed.nasl"); script_require_keys("Antivirus/SAVCE/version"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app = 'Symantec Endpoint Protection Client'; display_ver = get_kb_item_or_exit('Antivirus/SAVCE/version'); edition = get_kb_item('Antivirus/SAVCE/edition'); if(get_kb_item('SMB/svc/ssSpnAv')) audit(AUDIT_INST_VER_NOT_VULN, "Symantec.cloud Endpoint Protection"); if (isnull(edition)) edition = ''; else if (edition == 'sepsb') app += ' Small Business Edition'; fixed_ver = NULL; if (display_ver =~ "^12\.1\." \|\| display_ver =~ "^14\." ) fixed_ver = '14.2.0.1'; else audit(AUDIT_INST_VER_NOT_VULN, app, display_ver); if (ver_compare(ver:display_ver, fix:fixed_ver, strict:FALSE) == -1) { port = get_kb_item("SMB/transport"); if (!port) port = 445; report = '\n Product : ' + app + '\n Installed version : ' + display_ver + '\n Fixed version : ' + fixed_ver + '\n'; security_report_v4(severity:SECURITY_WARNING, port:port, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, app, display_ver);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References