Vulnerabilities > CVE-2018-5236 - Race Condition vulnerability in Symantec Endpoint Protection

CVSS 3.5 - LOW

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

symantec

CWE-362

nessus

NVD

Published: 2018-06-20

Updated: 2018-08-11

Summary

Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may be susceptible to a race condition (or race hazard). This type of issue occurs in software where the output is dependent on the sequence or timing of other uncontrollable events.

Vulnerable Configurations

Part	Description	Count
Application	Symantec Symantec Endpoint Protection 12.1 Symantec Endpoint Protection - Symantec Endpoint Protection 11 Symantec Endpoint Protection 11.0 Symantec Endpoint Protection 11.0.1 Symantec Endpoint Protection 11.0.2 Symantec Endpoint Protection 11.0.4 Symantec Endpoint Protection 11.0.7 Symantec Endpoint Protection 11.0.7.1 Symantec Endpoint Protection 11.0.7.2 Symantec Endpoint Protection 11.0.7.3 Symantec Endpoint Protection 11.0.3001 Symantec Endpoint Protection 11.0.6000 Symantec Endpoint Protection 11.0.6100 Symantec Endpoint Protection 11.0.6200 Symantec Endpoint Protection 11.0.6200.754 Symantec Endpoint Protection 11.0.6300 Symantec Endpoint Protection 11.0.7000 Symantec Endpoint Protection 11.0.7100 Symantec Endpoint Protection 12.0 Symantec Endpoint Protection 12.0.122.192 Symantec Endpoint Protection 12.0.1001.95 Symantec Endpoint Protection 12.1.1 Symantec Endpoint Protection 12.1.1.1 Symantec Endpoint Protection 12.1.2 Symantec Endpoint Protection 12.1.2.1 Symantec Endpoint Protection 12.1.3 Symantec Endpoint Protection 12.1.4 Symantec Endpoint Protection 12.1.4.1 Symantec Endpoint Protection 12.1.4.1A Symantec Endpoint Protection 12.1.4.1B Symantec Endpoint Protection 12.1.4A Symantec Endpoint Protection 12.1.5 Symantec Endpoint Protection 12.1.6 Symantec Endpoint Protection 12.1.671 Symantec Endpoint Protection 12.1.671.4971 Symantec Endpoint Protection 12.1.1000 Symantec Endpoint Protection 12.1.1000.157 Symantec Endpoint Protection 12.1.1101.401 Symantec Endpoint Protection 12.1.2015.2015 Symantec Endpoint Protection 12.1.2100.2093 Symantec Endpoint Protection 12.1.3001.165 Symantec Endpoint Protection 12.1.4013.4013 Symantec Endpoint Protection 12.1.4023.4080 Symantec Endpoint Protection 12.1.4100.4126 Symantec Endpoint Protection 12.1.4104.4130 Symantec Endpoint Protection 12.1.4112.4156 Symantec Endpoint Protection 12.1.5337.5000 Symantec Endpoint Protection 12.1.6168.6000 Symantec Endpoint Protection 12.1.6306.6100 Symantec Endpoint Protection 12.1.6318.6100 Symantec Endpoint Protection 12.1.6465.6200 Symantec Endpoint Protection 12.1.6608.6300 Symantec Endpoint Protection 12.1.6867.6400 Symantec Endpoint Protection 12.1.7004.6500 Symantec Endpoint Protection 12.1.7061.6600 Symantec Endpoint Protection 12.1.7166.6700 Symantec Endpoint Protection 12.1.7266.6800 Symantec Endpoint Protection 12.1.7369.6900 Symantec Endpoint Protection 12.1.7384.6902 Symantec Endpoint Protection 12.1.7385.6902 Symantec Endpoint Protection 12.1.7445.7000 Symantec Endpoint Protection 12.1.7454.7000 Symantec Endpoint Protection 12.1.7510.7002 Symantec Endpoint Protection 14 Symantec Endpoint Protection 14.0	205

Common Weakness Enumeration (CWE)

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions
This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL family	Windows
NASL id	SYMANTEC_ENDPOINT_PROT_CLIENT_SYMSA1454.NASL
description	The version of Symantec Endpoint Protection (SEP) Client installed on the remote host is 12.1.x prior to 12.1 RU6 MP10 or 14.0.x prior to 14.0 RU1 MP1. It is, therefore, affected by a multiple vulnerabilities as referenced in the advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	110778
published	2018-06-28
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110778
title	Symantec Endpoint Protection Client 12.1.x < 12.1 RU6 MP10 / 14.0.x < 14.0 RU1 MP1 Multiple Vulnerabilities (SYMSA1454)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(110778); script_version("1.3"); script_cvs_date("Date: 2019/11/04"); script_cve_id("CVE-2018-5236", "CVE-2018-5237"); script_bugtraq_id(104198, 104199); script_name(english:"Symantec Endpoint Protection Client 12.1.x < 12.1 RU6 MP10 / 14.0.x < 14.0 RU1 MP1 Multiple Vulnerabilities (SYMSA1454)"); script_summary(english:"Checks the SEP Client version."); script_set_attribute(attribute:"synopsis", value: "The Symantec Endpoint Protection Client installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Symantec Endpoint Protection (SEP) Client installed on the remote host is 12.1.x prior to 12.1 RU6 MP10 or 14.0.x prior to 14.0 RU1 MP1. It is, therefore, affected by a multiple vulnerabilities as referenced in the advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://support.symantec.com/en_US/article.SYMSA1454.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?70538a74"); # https://support.symantec.com/en_US/article.TECH103088.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bcc5e230"); script_set_attribute(attribute:"solution", value: "Upgrade to Symantec Endpoint Protection Client version 12.1 RU6 MP10 / 14.0 RU1 MP1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5237"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/21"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("savce_installed.nasl"); script_require_keys("Antivirus/SAVCE/version"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app = 'Symantec Endpoint Protection Client'; display_ver = get_kb_item_or_exit('Antivirus/SAVCE/version'); edition = get_kb_item('Antivirus/SAVCE/edition'); if(get_kb_item('SMB/svc/ssSpnAv')) audit(AUDIT_INST_VER_NOT_VULN, "Symantec.cloud Endpoint Protection"); if (isnull(edition)) edition = ''; else if (edition == 'sepsb') app += ' Small Business Edition'; fixed_ver = NULL; if (display_ver =~ "^12\.1\.") fixed_ver = '12.1.7445.7000'; else if (display_ver =~ "^14\.0\.") fixed_ver = '14.0.3876.1100'; else audit(AUDIT_INST_VER_NOT_VULN, app, display_ver); if (ver_compare(ver:display_ver, fix:fixed_ver, strict:FALSE) == -1) { port = get_kb_item("SMB/transport"); if (!port) port = 445; report = '\n Product : ' + app + '\n Installed version : ' + display_ver + '\n Fixed version : ' + fixed_ver + '\n'; security_report_v4(severity:SECURITY_WARNING, port:port, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, app, display_ver);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References