Executive Summary

Title Symantec Endpoint Protection Client contains a kernel pool overflow vulnerability
Name VU#252068 First vendor Publication 2014-08-04
Vendor VU-CERT Last vendor Modification 2014-08-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#252068

Symantec Endpoint Protection Client contains a kernel pool overflow vulnerability

Original Release date: 04 Aug 2014 | Last revised: 04 Aug 2014


Symantec Endpoint Protection Client 11.x and 12.x contains a kernel pool overflow vulnerability.


CWE-788: Access of Memory Location After End of Buffer

An attacker logged into a Windows XP, Vista, 7, or 8 system as an unprivileged user is able to cause a kernel pool overflow in the sysplant driver with specially crafted IOCTL code. The sysplant driver is part of the Application and Device Control functionality in Symantec Endpoint Protection (SEP) client 11.x and 12.x. This feature is enabled by default in SEP client 11.x and 12.x.


An attacker with user credentials may be able to elevate privileges to SYSTEM and gain full control of the system.


Apply an Update
Symantec has posted an advisory for this vulnerabilityhere. A patch is now available, the new version is SEP 12.1.4112.4156.

If the patch is unavailable or cannot be installed, consider the following workaround:

Disable the Vulnerable Driver
By default, SEP has Application and Device Control enabled and loads the sysplant driver. Disabling the driver will prevent an attack from being successful, although it will marginally reduce the effectiveness of SEP. Note that the sysplant driver is still loaded if Application and Device Control is disabled either through the SEP client or via policy from the Symantec Endpoint Manager. Disabling the driver via a registry edit and rebooting the system will force it to unload the sysplant driver.

Follow these instructions on Symantec's site to disable the sysplant driver. The sysguard driver does not need to be disabled to mitigate this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SymantecAffected22 Jul 201401 Aug 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://www.symantec.com/business/support/index?page=content&id=TECH103259
  • http://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory
  • http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00
  • http://cwe.mitre.org/data/definitions/788.html


Thanks to Matteo Memelli for reporting this vulnerability.

This document was written by Chris King.

Other Information

  • CVE IDs:CVE-2014-3434
  • Date Public:04 Aug 2014
  • Date First Published:04 Aug 2014
  • Date Last Updated:04 Aug 2014
  • Document Revision:20


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/252068

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

Application 3

Information Assurance Vulnerability Management (IAVM)

Date Description
2014-08-07 IAVM : 2014-A-0117 - Symantec Endpoint Protection (SEP) Privilege Escalation Vulnerability
Severity : Category I - VMSKEY : V0053633

Snort® IPS/IDS

Date Description
2014-11-16 Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt
RuleID : 31671 - Revision : 4 - Type : FILE-OTHER
2014-11-16 Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt
RuleID : 31670 - Revision : 3 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date Description
2014-08-07 Name : The version of Symantec Endpoint Protection Client installed on the remote ho...
File : symantec_endpoint_prot_client_sym14-013.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
Date Informations
2014-08-08 13:24:54
  • Multiple Updates
2014-08-07 17:25:29
  • Multiple Updates
2014-08-07 00:25:19
  • Multiple Updates
2014-08-05 00:22:21
  • First insertion