Symantec has recommended users update their systems in what it has described as a “routine advisory”.
In an advisory, Symantec warned that the management console for its Symantec Endpoint Protection (SEP) was susceptible to a number of security findings that could potentially result in an authorized, but less-privileged user gaining elevated access to the Management Console.
“SEPM contained a cross-site request forgery vulnerability that was the result of an insufficient security check in SEPM,” it said. “An authorized but less-privileged user could potentially include arbitrary code in authorized logging scripts. When submitted to SEPM, successful execution could possibly result in the user gaining unauthorized elevated access to the SEPM management console with application privileges.
“There was a SQL injection found in SEPM that could have allowed an authorized but less-privileged SEPM operator to potentially elevate access to administrative level on the application.”
The issue has been deemed critical enough for US CERT to issue an update, where it encouraged users and administrators to review the advisory from Symantec and apply the necessary update.
In a statement issued to Infosecurity, the company said: “This is a routine advisory. We recommend customers update to the latest version to keep their information secure.”
Paul Farrington, senior solution architect at Veracode, said that despite SQL Injection having been around for more than a decade and regularly featuring on the OWASP Top 10 list, the prevalence of the SQL injection vulnerability remains disturbingly high, with many businesses leaving themselves exposed to data loss and brand damage.
“Organizations can mitigate SQL injection with the right care and attention. All organizations need to be working to gain full visibility into its web application perimeter and run frequent scans on all existing applications to ensure that it remains protected from the threats that new or changed applications introduce, or from newly-discovered vulnerabilities. Indeed, this case shows that no company is above testing applications for vulnerabilities.”