Patching: the unlocked door
Patching: the unlocked door

A vulnerability in Symantec endpoint clients remains unpatched months after disclosure, according to security researchers.

The zero-day bug affects a kernel driver in two Symantec products, Symantec Encryption Desktop suite version 10.4.1 MP2HF1 (Build 777) and earlier, module  PGPwded.sys and Symantec Endpoint Encryption version v11.1.3 MP1 (Build 810) and earlier, module eedDiskEncryptionDriver.sys.

The vulnerability allows an attacker to attain arbitrary hard disk read and write access at sector level, and subsequently infect the target and gain low level persistence (MBR/VBR). They also allow the attacker to execute code in the context of the built-in SYSTEM user account, without requiring a reboot.

Symantec was informed of the bug back in mid-July 2017, according to the researchers, but the bug has not been patched to date. “These vulnerabilities remain unpatched at the point of publication.  We have been working with Symantec to try and help them to fix this since our initial private disclosure in July 2017 (full timeline at the end of this article), however no patch has yet been released. We will continue to work with Symantec to help them to produce an effective patch.  CVE numbers to follow” said the researchers in a blogpost on Nettitude.

One of the researchers involved, Twitter user @kyREcon, who Nettitude credited with the discovery, pointed out that Symantec had been responsive to other less critical bugs reported by the team: “Tbh, they fixed on time several other things that we reported, but they were not as critical as this. Still don't know what went wrong on prioritizing…”

Here's a video that demonstrates the exploit and effects: 

Isaac Potoczny-Jones, founder and CEO, Tozny said: “This is an excellent example of how developers make mistakes in implementing cryptography, which undermines the power of those toolkits. Crypto is extremely hard to get right.

“The fact it is disc encryption slightly helps in a few limited instances; the majority of the writeup is about weaponising the exploit (a bit painful from a defensive perspective); and the authors say that they've tried to work with Symantec for months to fix it, but don't provide many details about those interactions, so hard to read too much into that…”

Symantec has not commented on the public disclosure.