Symantec Fixes Privilege Escalation Flaw in Endpoint Protection

Symantec Fixes Privilege Escalation Flaw in Endpoint Protection

Symantec fixed a local privilege escalation security flaw affecting all Symantec Endpoint Protection software versions prior to 14.2 RU2, and allowing attackers to escalate privileges on compromised devices and execute malicious code using SYSTEM privileges.

Symantec Endpoint Protection is a suite of security solutions including intrusion prevention, firewall, data loss prevention, and anti-malware capabilities for both desktop and server computers.

Not the first LPE bug reported to security vendors

This is not the first local privilege escalation security issue reported to a security vendor this year by SafeBreach Labs security researcher Peleg Hadar, the one who also discovered the Symantec Endpoint Protection LPE. 

Since August, Hadar also found other similar issues impacting Trend Micro’s Password ManagerCheck Point Software’s Endpoint Security Initial Clientthe free version of Bitdefender AntivirusAvira’s Antivirus 2019 software, Avast Software’s AVG Antivirus and Avast Antivirus, and several McAfee Antivirus software solutions.

Each of them could enable hackers to exploit systems running the unpatched versions to drop and execute malicious payloads in a persistent way, as well as to evade detection during later stages of an attack.

Trend Micro, Check Point Software, Bitdefender, Avast, and McAfee patched the security flaws (tracked as CVE-2019-14684, CVE-2019-8461, CVE-2019-15295, CVE-2019-17449, CVE-2019-17093, and CVE-2019-3648) after receiving the researcher’s disclosure report, with users receiving the updates via the automatic update features built within the security apps.

Privilege escalation flaw fixed by Symantec

The Symantec Endpoint Protection LPE bug now tracked as CVE-2019-12758 requires potential attackers to have Administrator privileges to successfully exploit the issue to Hadar.

While the threat level of this vulnerability is not immediately apparent, such bugs are commonly rated with medium and high severity CVSS 3.x base scores [12].

Hackers abuse DLL search-order hijacking issues such as this as part multi-stage attacks after infiltrating a target’s machine to elevate permissions to further compromise the device and to establish persistence.

Upon successful exploitation, it can be used “to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process that is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.,” Hadar says.

Symantec addressed the LPE vulnerability in the Symantec Endpoint Protection 14.2 RU2 release issued on October 22, 2019.

Arbitrary unsigned DLL loading from CWD

Hadar says that CVE-2019-12758 is caused by the security solution’s attempt to load a DLL from its current working directory (CWD) instead of the DLL’s actual location and by not validating if the DLLs is signed with a digital certificate.

The researcher found that the Symantec SepMasterService service running as a signed process as NT AUTHORITY\SYSTEM attempts to import the DSPARSE.dll from its CWD, the C:\Windows\SysWow64\Wbem directory, instead of its actual location, in the SysWow64 folder.

By exploiting this bug, one could load an arbitrary unsigned DLL into the SepMasterService processes if one already has Administrator privileges on the system, thus bypassing Symantec Endpoint Protection’s self-defense mechanism.

Hadar implanted an unsigned 32-bit proxy DLL in the SysWow64\Wbem​​​​​​​ folder as part of a proof-of-concept (Poc) demonstration, loaded it, and executed it within a Symantec Corporation signed processes as NT AUTHORITY\SYSTEM, circumventing the self-defense mechanism of the Symantec Endpoint Protection’s just as expected.

Proof of concept
Proof of concept (SafeBreach Labs)

“The vulnerability gives attackers the ability to load and execute malicious payloads within the context of a Symantec’s signed process,” Hadar states.

“This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass. The Antivirus might not detect the attacker’s binary, because it tries to load it without any verification against it.”

Exploiting the CVE-2019-12758​​​​​​​ bug on machines running vulnerable versions of Symantec Endpoint Protection could also make it possible for attackers to load and launch malicious code every time the Symantec services are loaded on the system, gaining persistence between system reboots.

More info on how the LPE flaw was discovered, a comprehensive analysis of its root cause, and a complete disclosure timeline are available at the end of the Hadar’s report.