Explaining this local privilege escalation vulnerability in a blog post, the researchers stated,
We found a service (SepMasterService) of the Symantec Endpoint Protection which is running as signed process and as NT AUTHORITY\SYSTEM, which is trying to load the following DLL which doesn’t exist: c:\Windows\SysWOW64\wbem\DSPARSE.dllThus, it became possible for an attacker to execute code by uploading an arbitrary DLL while bypassing the self-defense mechanism. The researchers have shared the proof-of-concept for the exploit in their report. As stated,
We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM.Consequently, exploiting this bug could allow an attacker to gain SYSTEM access, bypass app whitelisting, and persistently run malicious codes.
Recently, Symantec has issued a fix for this vulnerability assigned with CVE number CVE-2019-12758. The fix for the LPE flaw is already available with Symantec Endpoint Protection 14.2 RU2 release. Hence, the users must ensure upgrading their systems to the patched version to stay protected from potential attacks.
Recently, SafeBreach Labs has also reported vulnerabilities in other critical programs, including all editions of McAfee Antivirus, Check Point’s Endpoint Security Initial Client software for Windows, and Bitdefender Antivirus Free 2020.
Let us know your thoughts in the comments.