![]() ![]() ![]() This is because an actor could execute any code they would like through the unsigned DLL, and have it run at maximum system privileges, completely bypassing the self-defense mechanism of the product. The SafeBreach team has developed a PoC (proof of concept) in the form of a 32-bit proxy DLL which can write the required filename, username, and parent process name, essentially turning Symantec’s software into a persistent threat for the victim. As was the case with other security products that we discussed in the recent past, the Symantec Endpoint Protection software is running a signed process as NT Authority\System, trying to load a specific DLL file without any validation. The particular product is the most popular endpoint security solution out there, so we’re talking about a vulnerability that affects many thousands. It also provides firewall features that can help keep dangers outside server farms or desktop computers. Symantec Endpoint Protection is a security software suite that is deployed in many high-risk environments, helping administrators set up intrusion-prevention systems. The practical implications of this include defense evasion, threat persistence, and privilege escalation potential. The vulnerability is again based on the loading of an arbitrary unsigned DLL into a process that is signed by Symantec and runs as NT Authority\System. The flaw that was discovered by SafeBreach Labs, who was kind enough to share it with us beforehand, is given the identifier “CVE-2019-12758”. This vendor is Symantec, and the affected product is Endpoint Protection. As we promised yesterday, today we are revealing another crucial vulnerability which plagues a product from a reputable vendor. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |