SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Symantec Endpoint Protection Vendors:   Symantec
Symantec Endpoint Protection Multiple Bugs Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, Server-Side Request Forgery, Security Bypass, File Disclosure, and Open Redirect Attacks
SecurityTracker Alert ID:  1036196
SecurityTracker URL:  http://securitytracker.com/id/1036196
CVE Reference:   CVE-2015-8801, CVE-2016-3647, CVE-2016-3648, CVE-2016-3649, CVE-2016-3650, CVE-2016-3651, CVE-2016-3652, CVE-2016-3653, CVE-2016-5304, CVE-2016-5305, CVE-2016-5306, CVE-2016-5307   (Links to External Site)
Date:  Jun 29 2016
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Host/resource access via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 12.1
Description:   Multiple vulnerabilities were reported in Symantec Endpoint Protection. A remote user can conduct cross-site request forgery and server-side request forgery attacks. A remote user can view files on the target system. A local user can bypass security restrictions. A remote user can redirect the target user's browser to an arbitrary site. A remote authenticated user can obtain passwords on the target system. A remote authenticated user can bypass security restrictions. A remote user can conduct cross-site scripting attacks.

A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will take actions on the target management interface acting as the target user [CVE-2016-3653].

The management console does not properly validate user-supplied input. A remote authenticated user can supply a specially crafted request to view files on target system that are located in the web root directory [CVE-2016-5307].

A remote user can create a URL that, when loaded by the target user, will redirect the target user's browser to an arbitrary site [CVE-2016-5304].

A remote authenticated user can send specially crafted data to view passwords on the target system [CVE-2016-3650].

The management script code does not properly filter HTML code from user-supplied input before displaying the input [CVE-2016-3652, CVE-2016-5305]. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Symantec Endpoint Protection software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can exploit a flaw in the authentication interface to bypass access controls and cause the server to connect to arbitrary ports on arbitrary hosts [CVE-2016-3647].

A remote authenticated user can bypass the account lock threshold limits to conduct a brute-force password password guessing attack [CVE-2016-3648].

A remote authenticated administrator can supply specially crafted HTTP GET requests to obtain information about other system administrator accounts [CVE-2016-3649].

A remote authenticated user on the local network can obtain PHP JSESSIONID values to hijack user sessions [CVE-2016-3651].

HTTP Strict Transport Security was not properly enabled on the listening port (TCP port 8445) [CVE-2016-5306]. A remote user may be able to conduct information leakage or redirection attacks.

A physically local user on a client system can exploit a race condition between when a USB drive is inserted and when the device manager exercises access control over the external device to download potentially sensitive files to the USB device or potentially upload files from the USB device to the target system [CVE-2015-8801].

Huy-Ngoc Dau with Deloitte France, John Page aka hyp3rlinx, Josh Meyer with the MITRE Corporation, Che Lin Law with MWR InfoSecurity, and Chris Salerno with Security Risk Advisors reported these vulnerabilities.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote user can view files on the target system.

A local user can bypass security controls on the target system.

A remote user can cause the target user's browser to be redirected to an arbitrary web site.

A remote authenticated user can obtain passwords on the target system.

A remote authenticated user can bypass security controls on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Symantec Endpoint Protection software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can cause the target server to connect to arbitrary ports on arbitrary hosts.

Solution:   The vendor has issued a fix (12.1-RU6-MP5).

The vendor's advisory is available at:

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01

Vendor URL:  www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC