Note: OS Command Injection vulnerability allows command execution on the underlying operating system.
Summary
The management console for Symantec Encryption Management Server (SEMS) is susceptible to potential OS command execution vulnerability.
Affected Versions
- Symantec Encryption Management Server <= 3.3.2 MP11
CVSSv3 Score
9.1 (Critical)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Technical Details
The administrative interface includes a search function. User input passed to it wasn’t being validated properly — and when input isn’t validated, things get interesting.
The following payload entered into the search box launched a reverse TCP shell back to the attacker’s machine:
| |
The resulting shell executes as the tomcat user. Crucially, this didn’t require administrator access — the lowest privilege role with access to the administrative interface (Reporter) was sufficient to trigger it.
That’s an important detail for reporting purposes: the attack surface isn’t limited to admin accounts. Any user with Reporter-level access can achieve command execution on the underlying operating system.
Timeline
| Date | Event |
|---|---|
| 2015-07-06 | Vulnerability discovered |
| 2015-07-30 | Vendor contacted |
| 2015-08-02 | Vendor confirms issue |
| 2016-02-19 | Patch released (v3.3.2 MP12) |
| 2016-06-07 | Public disclosure |
Remediation
Symantec product engineers have addressed these issues in Symantec Encryption Management Server 3.3.2 MP12. Customers should update to SEMS 3.3.2 MP12 as soon as possible to address these issues.
Credit
Discovered and reported by Toby Reynolds following responsible disclosure guidelines.