====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN496
____________________________________________________________________

DATE                : 21/12/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Symantec ESM Manager/Agent.

======================================================================
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121213_00
______________________________________________________________________


Security Advisories Relating to Symantec Products - Symantec Enterprise
Security Manager Manager/Agent Local Elevation of Privilege
SYM12-020 December 13, 2012

Revisions None


Severity

CVSS2 		Impact 		Exploitability 	CVSS2 Vector
Base Score

ESM Manager/Agent unquoted search path local elevation of privilege - Medium

6.8 		10.0 		3.1 		AV:L/AC:L/AU:S/C:C/I:C/A:C


Overview

Symantec's Enterprise Security Manager (ESM) for Windows has an
unquoted search path in the Manager and Agent components. This could
allow a non-privileged local user, able to successfully insert
arbitrary code in the root path, to potentially execute their code with
elevated privileges during system startup or reboot.

Affected Products

Product			Version		Build	Solution(s)

Symantec Enterprise 	10.x and prior	All	Install or upgrade
                                                managers
Security Manager for		               to CCS 11.0 or later, or,
Windows						apply Security Update
                                                SU44 for Windows ESM
                                                Manager and Agent which
                                                has a check to fix
						exiting pre-11 Windows
						managers and agents.

Symantec Enterprise  10.x and prior  All Install or upgrade managers to
Security Manager Agent 			  CCS 11.0 or later, or, apply
for Windows			          Security Update SU44 for
					  Windows ESM Manager and Agent
					  which has a check to fix
					  exiting pre-11 Windows
					  managers and agents.

					  A patched MSI installer for
                                          the 10.0 agent is available
                                          for new agent installations
                                          if upgrade to 11.0 isnt
                                          possible at this time.


Products Not Affected

Product						Version

Symantec Control Compliance Suite for Windows	11.0

Symantec Control Compliance Suite and
Enterprise Security Manager for Linux and Unix	All


Details

Symantec was notified of an unquoted search path issue impacting the
ESM manager and agents for Windows deployed as part of Symantecs
Enterprise Security Manager. This could potentially allow an authorized
but non-privileged local user to execute arbitrary code with elevated
privileges on the system.  A successful targeting attempt would require
the local user to be able to insert their code in the system root path
undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot.  If
successful, the local users code would execute with the elevated
privileges of the application.


Symantec Response

Symantec product engineers verified the reported issue and have released
Security Update SU44 to address this issue.

A patched MSI installer for 10.0 agents is also available for new agent
installations if upgrade to 11.0 isnt possible at this time. Go to
https://www.symantec.com/security_response/securityupdates/list.jsp?fid=esm&pvid=pu
to download the updated installer

Symantec is not aware of exploitation of or adverse customer impact from
this issue.


Update Information

     Download SU44 via LiveUpdate or from the SU44 link provided
     Once SU44 is applied,
     Run the Check ESM Service ImagePath check


Best Practices

As part of normal best practices, Symantec strongly recommends:

     * Restrict access to administration or management systems to
privileged users.
     * Restrict remote access, if required, to trusted/authorized
systems only.
     * Run under the principle of least privilege where possible to
limit the impact of exploit by threats.
     * Keep all operating systems and applications updated with the
latest vendor patches.
     * Follow a multi-layered approach to security. Run both firewall
and anti-malware applications, at a minimum, to provide multiple points
of detection and protection to both inbound and outbound threats.
     * Deploy network and host-based intrusion detection systems to
monitor network traffic for signs of anomalous or suspicious activity.
This may aid in detection of attacks or malicious activity related to
exploitation of latent vulnerabilities


Credit

Symantec credits Gavin Jones with NCC Group Ltd for reporting this issue
and coordinating with us as we resolved it.


References

BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq
IDs (BIDs) to these issues for inclusion in the Security Focus
vulnerability database.

CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

CVE		BID		Description
CVE-2012-4350	BID 56915	Symantec ESM Manager/Agent unquoted search
				path

Symantec takes the security and proper functionality of our products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec supports and follows responsible disclosure
guidelines.
Please contact secure@symantec.com if you feel you have discovered a
security issue in a Symantec product. A member of the Symantec Product
Security team will contact you regarding your submission to coordinate
any required response. Symantec strongly recommends using encrypted
email for reporting vulnerability information to secure@symantec.com.
The Symantec Product Security PGP key can be found at the location
below.

Symantec has developed a Product Vulnerability Response document
outlining the process we follow in addressing suspected vulnerabilities
in our products. This document is available below.


Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long
as it is not edited in any way unless authorized by Symantec Product
Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
Symantec, Symantec products, Symantec Product Security, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All
other registered and unregistered trademarks represented in this
document are the sole property of their respective companies/owners.

* Signature names may have been updated to comply with an updated IPS
Signature naming convention. See
http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST

for more information.

Last modified on: December 13, 2012


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================