11.0.1

CVSS 4.4 - MEDIUM

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

symantec

CWE-269

nessus

NVD

Published: 2020-05-11

Updated: 2021-07-21

Summary

Symantec Endpoint Protection, prior to 14.3, can potentially reset the ACLs on a file as a limited user while Symantec Endpoint Protection's Tamper Protection feature is disabled.

Vulnerable Configurations

Part	Description	Count
Application	Symantec Symantec Endpoint Protection - Symantec Endpoint Protection 11 Symantec Endpoint Protection 11.0 Symantec Endpoint Protection 11.0.1 Symantec Endpoint Protection 11.0.2 Symantec Endpoint Protection 11.0.4 Symantec Endpoint Protection 11.0.7 Symantec Endpoint Protection 11.0.7.1 Symantec Endpoint Protection 11.0.7.2 Symantec Endpoint Protection 11.0.7.3 Symantec Endpoint Protection 11.0.3001 Symantec Endpoint Protection 11.0.6000 Symantec Endpoint Protection 11.0.6100 Symantec Endpoint Protection 11.0.6200 Symantec Endpoint Protection 11.0.6200.754 Symantec Endpoint Protection 11.0.6300 Symantec Endpoint Protection 11.0.7000 Symantec Endpoint Protection 11.0.7100 Symantec Endpoint Protection 12.0 Symantec Endpoint Protection 12.0.122.192 Symantec Endpoint Protection 12.0.1001.95 Symantec Endpoint Protection 12.1 Symantec Endpoint Protection 12.1.1 Symantec Endpoint Protection 12.1.1.1 Symantec Endpoint Protection 12.1.2 Symantec Endpoint Protection 12.1.2.1 Symantec Endpoint Protection 12.1.3 Symantec Endpoint Protection 12.1.4 Symantec Endpoint Protection 12.1.4.1 Symantec Endpoint Protection 12.1.4.1A Symantec Endpoint Protection 12.1.4.1B Symantec Endpoint Protection 12.1.4A Symantec Endpoint Protection 12.1.5 Symantec Endpoint Protection 12.1.6 Symantec Endpoint Protection 12.1.671 Symantec Endpoint Protection 12.1.671.4971 Symantec Endpoint Protection 12.1.1000 Symantec Endpoint Protection 12.1.1000.157 Symantec Endpoint Protection 12.1.1101.401 Symantec Endpoint Protection 12.1.2015.2015 Symantec Endpoint Protection 12.1.2100.2093 Symantec Endpoint Protection 12.1.3001.165 Symantec Endpoint Protection 12.1.4013.4013 Symantec Endpoint Protection 12.1.4023.4080 Symantec Endpoint Protection 12.1.4100.4126 Symantec Endpoint Protection 12.1.4104.4130 Symantec Endpoint Protection 12.1.4112.4156 Symantec Endpoint Protection 12.1.5337.5000 Symantec Endpoint Protection 12.1.6168.6000 Symantec Endpoint Protection 12.1.6306.6100 Symantec Endpoint Protection 12.1.6318.6100 Symantec Endpoint Protection 12.1.6465.6200 Symantec Endpoint Protection 12.1.6608.6300 Symantec Endpoint Protection 12.1.6867.6400 Symantec Endpoint Protection 12.1.7004.6500 Symantec Endpoint Protection 12.1.7061.6600 Symantec Endpoint Protection 12.1.7166.6700 Symantec Endpoint Protection 12.1.7266.6800 Symantec Endpoint Protection 12.1.7369.6900 Symantec Endpoint Protection 12.1.7384.6902 Symantec Endpoint Protection 12.1.7385.6902 Symantec Endpoint Protection 12.1.7445.7000 Symantec Endpoint Protection 12.1.7454.7000 Symantec Endpoint Protection 12.1.7510.7002 Symantec Endpoint Protection 14 Symantec Endpoint Protection 14.0 Symantec Endpoint Protection 14.0.0 Symantec Endpoint Protection 14.0.1 Symantec Endpoint Protection 14.2	223

Common Weakness Enumeration (CWE)

CWE-269 - Improper Privilege Management

Common Attack Pattern Enumeration and Classification (CAPEC)

Restful Privilege Elevation
Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

NASL family	Windows
NASL id	SYMANTEC_ENDPOINT_PROT_CLIENT_SYM_17-062.NASL
description	The version of Symantec Endpoint Protection (SEP) Client installed on the remote host is prior to 14.3. It is therefore affected by the following vulnerabilities: - An elevation of privilege vulnerability exists. An authenticated, local attacker can exploit this by resetting ACLs on a file as a limited user while the tamper feature is disabled, to gain elevated privileges. (CVE-2020-5836) - An elevation of privilege vulnerability exists. An authenticated, local attacker can exploit this by by writing to log files that are replaced by symbolic links to gain elevated privileges. (CVE-2020-5837) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-21
modified	2020-05-15
plugin id	136619
published	2020-05-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136619
title	Symantec Endpoint Protection Client < 14.3 Multiple Vulnerabilities (SYMSA1762)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136619); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/18"); script_cve_id("CVE-2020-5836", "CVE-2020-5837"); script_xref(name:"IAVA", value:"2020-A-0210"); script_name(english:"Symantec Endpoint Protection Client < 14.3 Multiple Vulnerabilities (SYMSA1762)"); script_set_attribute(attribute:"synopsis", value: "The version of Symantec Endpoint Protection Client installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Symantec Endpoint Protection (SEP) Client installed on the remote host is prior to 14.3. It is therefore affected by the following vulnerabilities: - An elevation of privilege vulnerability exists. An authenticated, local attacker can exploit this by resetting ACLs on a file as a limited user while the tamper feature is disabled, to gain elevated privileges. (CVE-2020-5836) - An elevation of privilege vulnerability exists. An authenticated, local attacker can exploit this by by writing to log files that are replaced by symbolic links to gain elevated privileges. (CVE-2020-5837) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1762 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?54057529"); script_set_attribute(attribute:"solution", value: "Upgrade to Symantec Endpoint Protection Client version 14.3 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5837"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/11"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("savce_installed.nasl"); script_require_keys("Antivirus/SAVCE/version"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app = 'Symantec Endpoint Protection Client'; display_ver = get_kb_item_or_exit('Antivirus/SAVCE/version'); edition = get_kb_item('Antivirus/SAVCE/edition'); if(get_kb_item('SMB/svc/ssSpnAv')) audit(AUDIT_INST_VER_NOT_VULN, "Symantec.cloud Endpoint Protection"); if (isnull(edition)) edition = ''; else if (edition == 'sepsb') app += ' Small Business Edition'; fixed_ver = 14.3.558.0000; if (ver_compare(ver:display_ver, fix:fixed_ver, strict:FALSE) == -1) { port = get_kb_item("SMB/transport"); if (!port) port = 445; report = '\n Product : ' + app + '\n Installed version : ' + display_ver + '\n Fixed version : ' + fixed_ver + '\n'; security_report_v4(severity:SECURITY_WARNING, port:port, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, app, display_ver);

References

https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1762