lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 6 Dec 2019 09:37:03 +0000
From: Kyriakos Economou <keconomou@...titude.com>
To: "'fulldisclosure@...lists.org'" <fulldisclosure@...lists.org>,
 "'submissions@...ketstormsecurity.com'" <submissions@...ketstormsecurity.com>
Subject: [FD] Symantec Endoint Security  LPE CVE-2019-12750

Advisory
A malicious application can take advantage of a vulnerability in Symantec Endpoint Protection to leak privileged information and/or execute code with higher privileges, thus taking full control over the affected host.

Products Affected
Symantec Endpoint Protection v14.x < v14.2 (RU1)
Symantec Endpoint Protection v12.x < 12.1 (RU6 MP10)
Symantec Endpoint Protection Small Business Edition v12.x < 12.1 (RU6 MP10c)

https://support.symantec.com/us/en/article.SYMSA1487.html
https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/

Timeline
Date of discovery: April 2019
Vendor informed: 18 April 2019
Vendor Acknowledged: 19 April 2019
Vendor Requested Extra Time: 19 April 2019
Advisory [1]: 31 July 2019
Nettitude blog [2]: 5 December 2019

References

1.       https://support.symantec.com/us/en/article.SYMSA1487.html

2.       https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/

Kyriakos Economou
Senior Vulnerability Researcher


T: 0345 520 0085

E: keconomou@...titude.com


UK: 1 Jephson Court, Tancred Cl, Leamington Spa, CV31 3RZ

[cid:image002.png@...5AC18.B5AAA630]



                                                                               [Facebook icon] <https://en-gb.facebook.com/Nettitude/>    [LinkedIn icon] <https://www.linkedin.com/company/nettitude-group>    [Twitter icon] <https://twitter.com/Nettitude_group>    [Youtbue icon] <https://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ>
















___________________________________________________________________________________
Lloyd’s Register and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates. 
Nettitude Limited, registered in England, registered number 4705154
Registered office: 1 Jephson Court, Tancred Close, Leamington Spa, Warwickshire, CV31 3RZ. A member of the Lloyd’s Register group.
 
Lloyd’s Register Group Limited, its affiliates and subsidiaries and their respective officers, employees or agents are individually and collectively, referred to in this clause as ‘Lloyd’s Register’. Lloyd’s Register assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with the relevant Lloyd’s Register entity for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract. 
___________________________________________________________________________________

Download attachment "image001.png" of type "image/png" (7836 bytes)

Download attachment "image003.png" of type "image/png" (1238 bytes)

Download attachment "image004.png" of type "image/png" (1326 bytes)

Download attachment "image005.png" of type "image/png" (1343 bytes)

Download attachment "image006.png" of type "image/png" (1416 bytes)

Download attachment "image002.png" of type "image/png" (7254 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ