Security bod Stefan Viehböck has detailed holes in Symantec's data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers.
The patches fix holes in the management server for
Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor
Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.
SEC Consult researcher Stefan Viehböck who found the
flaws said the products should not be used until a full security audit
"Attackers are able to completely compromise the
SDCS:SA Server as they can gain access at the system and database
level," Viehböck wrote in an advisory
"Furthermore attackers can manage all clients and their policies.
"It is highly recommended by SEC Consult not to use
this software until a thorough security review (SDCS:SA Server, SDCS:SA
Client Policies) has been performed by security professionals and all
identified issues have been resolved."
Hackers with access to the SDCS:SA server could
potentially pivot within the corporate network and could bypass client
Four flaws were reported including an unauthenticated
SQL injection (CVE-2014-7289) granting attackers read and write access
to database records and SYSTEM code execution privileges.
A reflected cross-site scripting (CVE-2014-9224) was
dug up allowing attackers to steal other users' sessions and gain access
to the admin interface.
Information disclosure (CVE-2014-9225) was possible
with a script that spewed internal server application data without
requiring authentication, including file paths on the web server, and
version information (OS, Java).
Multiple default security protection policy bypasses
were discovered that were tempered by the requirement for administrator
permissions. These included persistent code execution via Windows
Services; remote code execution via remote procedure call; extraction of
Windows passwords and hashes; privilege elevation via Windows
Installer, and privilege elevation and code execution via Windows
Proof of concept codes were published to exploit the respective vulnerabilities, giving urgency to the need for customers to apply patches and work-arounds for those flaws yet unfixed.
Viehböck first tipped Symantec off to the holes in
November under a disclosure time line that appeared to run smoothly
between bug hunter and vendor.