Symantec has closed critical hole in its Enterprise Security Manager
An update for the Symantec Enterprise Security Manager (ESM) closes a critical hole that may be exploited by attackers to gain full control over ESM systems. According to an advisory, the agents of all ESM versions prior to version 6.5.3 on nearly all operating system platforms are affected by this bug in the network upgrade function. Only the ESM agents for NetWare, OS/400 and OpenVMS are not vulnerable, since they do not support remote upgrades.
According to Symantec, this problem is caused by the upgrade function failing to verify that the updates come from a trusted source. This allows attackers with network access to an ESM agent computer to exploit a manipulated update package to use a buffer overrun to infiltrate arbitrary code, which is then executed by a vulnerable ESM agent with administrator rights.
Symantec now provides a signature fix upgrade for the versions 6.5.x, 6.0 and 5.5, which implements a signature check for network upgrades to ensure that downloaded packages come from Symantec or another trusted source and have not been manipulated by an attacker. It seems, however, that this fix does not remedy the buffer overrun problem. Administrators using the unpatched version 6.5.3 should install the signature fix immediately or upgrade to the latest version. According to Symantec, the ESM managers must also be updated to ensure compatibility with the new agents, although they are not affected by this problem.
- Symantec Enterprise Security Manager Remote Upgrade Authentication Bypass, Advisory by Symantec