The Channel logo


By | Darren Pauli 23rd January 2015 08:33

Symantec data centre security software has security holes

Stop face-palming and start patching - the fixes are out there

Security bod Stefan Viehböck has detailed holes in Symantec's data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers.

The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.

SEC Consult researcher Stefan Viehböck who found the flaws said the products should not be used until a full security audit was conducted.

"Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level," Viehböck wrote in an advisory

"Furthermore attackers can manage all clients and their policies.

"It is highly recommended by SEC Consult not to use this software until a thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been performed by security professionals and all identified issues have been resolved."

Hackers with access to the SDCS:SA server could potentially pivot within the corporate network and could bypass client protections.

Four flaws were reported including an unauthenticated SQL injection (CVE-2014-7289) granting attackers read and write access to database records and SYSTEM code execution privileges.

A reflected cross-site scripting (CVE-2014-9224) was dug up allowing attackers to steal other users' sessions and gain access to the admin interface.

Information disclosure (CVE-2014-9225) was possible with a script that spewed internal server application data without requiring authentication, including file paths on the web server, and version information (OS, Java).

Multiple default security protection policy bypasses were discovered that were tempered by the requirement for administrator permissions. These included persistent code execution via Windows Services; remote code execution via remote procedure call; extraction of Windows passwords and hashes; privilege elevation via Windows Installer, and privilege elevation and code execution via Windows Management Instrumentation.

Proof of concept code was published to exploit the respective vulnerabilities, giving urgency to the need for customers to apply patches and work-arounds for those flaws yet unfixed.

Viehböck first tipped Symantec off to the holes in November under a disclosure time line that appeared to run smoothly between bug hunter and vendor. ®

comment icon Read 5 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe