Continuing the trail of vulnerable antivirus tools, now joins Symantec. Researchers have found a serious vulnerability in Symantec Endpoint Protection software. Exploiting this flaw could allow an attacker to execute codes on the target system.
Symantec Endpoint Protection Vulnerability
Researchers from SafeBreach Labs have found a serious vulnerability in another antivirus program. This time, they have found the vulnerability in Symantec Endpoint Protection.
Explaining this local privilege escalation vulnerability in a blog post, the researchers stated,
We found a service (SepMasterService) of the Symantec Endpoint Protection which is running as signed process and as NT AUTHORITY\SYSTEM, which is trying to load the following DLL which doesn’t exist:
Thus, it became possible for an attacker to execute code by uploading an arbitrary DLL while bypassing the self-defense mechanism. The researchers have shared the proof-of-concept for the exploit in their report. As stated,
We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM.
Consequently, exploiting this bug could allow an attacker to gain SYSTEM access, bypass app whitelisting, and persistently run malicious codes.
Symantec Issued A Fix
After discovering the bug, the researchers reported it to Symantec in August 2019, which the vendors confirmed the next day.
Recently, Symantec has issued a fix for this vulnerability assigned with CVE number CVE-2019-12758. The fix for the LPE flaw is already available with Symantec Endpoint Protection 14.2 RU2 release. Hence, the users must ensure upgrading their systems to the patched version to stay protected from potential attacks.
Recently, SafeBreach Labs has also reported vulnerabilities in other critical programs, including all editions of McAfee Antivirus, Check Point’s Endpoint Security Initial Client software for Windows, and Bitdefender Antivirus Free 2020.
Let us know your thoughts in the comments.