Symantec Critical System Protection 5.2.9.x < 5.2.9 MP6 Multiple Vulnerabilities (SYM15-001 / SYM16-009)

high Nessus Plugin ID 80911

Synopsis

The remote windows host has a security application installed that is affected by multiple vulnerabilities.

Description

The version of Symantec Critical System Protection (SCSP) installed on the remote Windows host is 5.2.9.x prior to 5.2.9 MP6. It is, therefore, affected by multiple vulnerabilities :

- A remote code execution vulnerability exists in the Management Server Agent Control Interface due to improper sanitization of user-uploaded files. An authenticated, remote attacker can exploit this, by uploading a log file, to execute arbitrary script code with the privileges of the web server. (CVE-2014-3440)

- A SQL injection (SQLi) vulnerability exists in the management server due to the /sis-ui/authenticate script not properly sanitizing user-supplied input to the 'ai' POST parameter. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the manipulation or disclosure of arbitrary data. (CVE-2014-7289)

- Multiple cross-site scripting (XSS) vulnerabilities exist in the management server in the WCUnsupportedClass.jsp script and SSO-Error.jsp script due to improper validation of user-supplied input to the 'classname' and 'ErrorMsg' GET parameters. An unauthenticated, remote attacker can exploit this to execute arbitrary script code in a user's browser session. (CVE-2014-9224)

- An information disclosure vulnerability exists in the management server due to a failure to properly restrict internal server information. An authenticated, remote attacker can exploit this, via a direct request to the environment.jsp script, to disclose sensitive server information. (CVE-2014-9225)

- A privilege escalation vulnerability exists due to a failure to sufficiently restrict access to certain host functionality. A local attacker can exploit this to bypass protection policies and gain elevated privileges.
(CVE-2014-9226)

- A SQL injection (SQLi) vulnerability exists in the management server due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the manipulation or disclosure of arbitrary data. (CVE-2015-8157)

- A path traversal issue exists due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.
(CVE-2015-8798)

- A path traversal issue exists that allows an authenticated, remote attacker to write update-package data to arbitrary agent locations, resulting in the execution of arbitrary code. (CVE-2015-8799)

- An unspecified flaw exists that is triggered when handling process calls written to a specific named pipe.
An authenticated, remote attacker can exploit this to inject arbitrary arguments. (CVE-2015-8800)

Solution

Upgrade to Symantec Critical System Protection 5.2.9 MP6 or later.
Alternatively, apply the workarounds referenced in the vendor advisories.

See Also

http://www.nessus.org/u?0364a137

http://www.nessus.org/u?520cb017

Plugin Details

Severity: High

ID: 80911

File Name: symantec_critical_system_protection_sym15-001.nasl

Version: 1.12

Type: local

Agent: windows

Family: Windows

Published: 1/22/2015

Updated: 11/25/2019

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS Score Source: CVE-2014-3440

Vulnerability Information

CPE: cpe:/a:symantec:critical_system_protection

Required KB Items: installed_sw/Symantec Critical System Protection

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/19/2015

Vulnerability Publication Date: 1/19/2015

Reference Information

CVE: CVE-2014-3440, CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226, CVE-2015-8157, CVE-2015-8798, CVE-2015-8799, CVE-2015-8800

BID: 72091, 72092, 72093, 72094, 72095, 90884, 90885, 90886, 90889

EDB-ID: 35915

IAVA: 2016-A-0211

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990