CVE-2012-0304

MEDIUM

Description

Symantec LiveUpdate Administrator before 2.3.1 uses weak permissions (Everyone: Full Control) for the installation directory, which allows local users to gain privileges via a Trojan horse file.

References

http://www.nessus.org/plugins/index.php?view=single&id=59193

http://www.securityfocus.com/bid/53903

http://www.securitytracker.com/id?1027182

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120615_00

Details

Source: MITRE

Published: 2012-06-22

Updated: 2013-04-02

Type: CWE-264

Risk Information

CVSS v2.0

Base Score: 6.9

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.4

Severity: MEDIUM

Vulnerable Software

Configuration 1

cpe:2.3:a:symantec:liveupdate_administrator:1.5.3.21:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:1.5.4:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:1.5.7.19:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:2.1.2:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:2.1.3:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:2.2.2.9:*:*:*:*:*:*:*

cpe:2.3:a:symantec:liveupdate_administrator:*:*:*:*:*:*:*:* versions up to 2.3.0 (inclusive)

Tenable Plugins

View all (2 total)

ID	Name	Product	Family	Severity
59757	Symantec LiveUpdate Administrator < 2.3.2 Privilege Escalation (SYM12-009)	Nessus	CGI abuses	high
59193	Symantec LiveUpdate Administrator Insecure Permissions Local Privilege Escalation (credentialed check)	Nessus	Windows	high