This article provides information about the SYM14-013 Symantec Endpoint Protection client elevation of privilege vulnerability.
On July 29, 2014, Offensive Security reported on their website that they had identified an escalation of privilege vulnerability within Symantec Endpoint Protection (SEP). For additional information on the SYM14-013 vulnerability, read the Symantec Security Response SYM14-013 Security Advisory.
Symantec product engineers have verified these issues and have released critical updates to resolve them. Currently Symantec is not aware of exploitation of or adverse impact on our customers due to this issue.
The issue, as reported, affects the Application and Device Control component of Symantec Endpoint Protection. This vulnerability is not accessible remotely and only affects SEP clients actually running Application and Device Control. If the vulnerability is exploited by accessing the computer directly, it could result in a client crash, denial of service, or, if successful, escalate to admin privileges and gain control of the computer.
This vulnerability affects all versions of Symantec Endpoint Protection clients 11.x and 12.x running Application and Device Control.
The Symantec Endpoint Protection Manager, Symantec Endpoint Protection SBE, SEP.cloud and Symantec Network Access Control are not affected.
This version updates the Symantec Endpoint Protection clients to 12.1.4112.4156 to address this issue. There are no updates to the Symantec Endpoint Protection Manager included with this release. This Symantec Endpoint Protection client update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 11.0 and 12.1 product line.
Symantec Endpoint Protection 12.1 for Small Business is not affected, so there are no updates to the product for this issue.
To mitigate this issue temporarily without migrating to RU4 MP1b, uninstall or disable the sysplant driver.
Option 1 for SEP 12.1: Disable the Application and Device Control driver
Note: Deploying an Application and Device Control (ADC) policy is not sufficient to re-enable the driver after it has been disabled. Repairing the installation, or upgrading to a later version, will re-enable the sysplant driver automatically.
From the Symantec Endpoint Protection Management (SEPM) console, withdraw the Application and Device Control policy (if applicable).