Security bod Stefan Viehböck has detailed holes in Symantec's data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers.
The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.
SEC Consult researcher Stefan Viehböck who found the flaws said the products should not be used until a full security audit was conducted.
"Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level," Viehböck wrote in an advisory
"Furthermore attackers can manage all clients and their policies.
"It is highly recommended by SEC Consult not to use this software until a thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been performed by security professionals and all identified issues have been resolved."
Hackers with access to the SDCS:SA server could potentially pivot within the corporate network and could bypass client protections.
Four flaws were reported including an unauthenticated SQL injection (CVE-2014-7289) granting attackers read and write access to database records and SYSTEM code execution privileges.
A reflected cross-site scripting (CVE-2014-9224) was dug up allowing attackers to steal other users' sessions and gain access to the admin interface.
Information disclosure (CVE-2014-9225) was possible with a script that spewed internal server application data without requiring authentication, including file paths on the web server, and version information (OS, Java).
Multiple default security protection policy bypasses were discovered that were tempered by the requirement for administrator permissions. These included persistent code execution via Windows Services; remote code execution via remote procedure call; extraction of Windows passwords and hashes; privilege elevation via Windows Installer, and privilege elevation and code execution via Windows Management Instrumentation.
Proof of concept code was published to exploit the respective vulnerabilities, giving urgency to the need for customers to apply patches and work-arounds for those flaws yet unfixed.
Viehböck first tipped Symantec off to the holes in November under a disclosure time line that appeared to run smoothly between bug hunter and vendor. ®