This article provides information about the SYM14-013 Symantec Endpoint Protection client elevation of privilege vulnerability.
On July 29, 2014, Offensive Security reported on their website that they had identified an escalation of privilege vulnerability within Symantec Endpoint Protection (SEP). For additional information on the SYM14-013 vulnerability, read the Symantec Security Response SYM14-013 Security Advisory.
Symantec product engineers have verified these issues and have released critical updates to resolve them. Currently Symantec is not aware of exploitation of or adverse impact on our customers due to this issue.
The issue, as reported, affects the Application and Device Control component of Symantec Endpoint Protection. This vulnerability is not accessible remotely and only affects SEP clients actually running Application and Device Control. If the vulnerability is exploited by accessing the computer directly, it could result in a client crash, denial of service, or, if successful, escalate to admin privileges and gain control of the computer.
This vulnerability affects all versions of Symantec Endpoint Protection clients 11.x and 12.x running Application and Device Control.
The Symantec Endpoint Protection Manager, Symantec Endpoint Protection SBE, SEP.cloud and Symantec Network Access Control are not affected.
Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1b (RU4 MP1b) is available currently in English on Symantec FileConnect. See Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this release. All supported languages will be released to FileConnect as soon as they are available. This Knowledge Base article will be updated as further information becomes available. Please subscribe to this document to receive update notifications automatically.
This version updates the Symantec Endpoint Protection clients to 12.1.4112.4156 to address this issue. There are no updates to the Symantec Endpoint Protection Manager included with this release. This Symantec Endpoint Protection client update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 11.0 and 12.1 product line.
Symantec Endpoint Protection 12.1 for Small Business is not affected, so there are no updates to the product for this issue.
To mitigate this issue temporarily without migrating to RU4 MP1b, uninstall or disable the sysplant driver.
Note: Deploying an Application and Device Control (ADC) policy is not sufficient to re-enable the driver after it has been disabled. Repairing the installation, or upgrading to a later version, will re-enable the sysplant driver automatically.
From the Symantec Endpoint Protection Management (SEPM) console, withdraw the Application and Device Control policy (if applicable).
Disable or configure Tamper Protection to allow the process for any tools or scripts used.
How to disable Tamper Protection in Symantec Endpoint Protection 12.1
At the local client, open a Windows command shell with administrative privileges.
Enter the following command:
sc config sysplant start= disabled
- Restart the client computer.
From the SEPM console, enable Tamper Protection.
- From the SEPM console, click Admin > Install Packages, click Client Install Feature Set, and select Add Client Install Feature Set.
Choose to remove Application and Device Control, and click OK.
Navigate to Client Groups and select Add Install Packages.
Uncheck Maintain Feature Set, and select the newly created feature set, once for 32-bit and once for 64-bit.
All SEP clients are moved to that new feature set without the ADC component installed.
For further details, see How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations.
- From the SEPM console, click to Groups > Policy, and select the Application and Device Control (ADC) policy.
Click Tasks and disable the ADC policy, then click Yes.
Restart the SEP clients in order to fully disable the ADC policy.