Full Report
Symantec security advisory (AV26-304)
Analysis Summary
# Vulnerability: Symantec Data Loss Prevention Escalation of Privilege
## CVE Details
- **CVE ID:** CVE-2024-52648
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:** Symantec Data Loss Prevention (DLP) Windows Endpoint
- **Versions:**
- Versions prior to DLP 16.1 MP2
- Versions prior to DLP 25.1 MP1
- **Configurations:** Windows-based endpoint installations.
## Vulnerability Description
A privilege escalation vulnerability exists in the Symantec DLP Windows Endpoint agent. The flaw results from improper privilege management within the agent software, which could allow a local authenticated user to gain elevated privileges (System level) on the affected Windows host.
## Exploitation
- **Status:** Not currently reported as exploited in the wild.
- **Complexity:** Low
- **Attack Vector:** Local (Requires local access to the endpoint).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Broadcom (Symantec) has released the following updates to address this vulnerability:
- **Symantec DLP 16.1:** Upgrade to version **16.1 MP2** or later.
- **Symantec DLP 25.1:** Upgrade to version **25.1 MP1** or later.
### Workarounds
No specific workarounds have been identified. Remediation requires an upgrade of the DLP agent on all affected Windows endpoints.
## Detection
- **Indicators of compromise:** Monitor for unusual system-level process executions originating from the DLP agent directory or service.
- **Detection methods:** Review system logs for unauthorized privilege elevation attempts related to `edpa.exe` or `wdp.exe` processes. Use endpoint detection and response (EDR) tools to flag unauthorized registry or file system changes in protected Symantec directories.
## References
- **Broadcom Security Advisory:** hxxps[://]support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37306
- **Canadian Centre for Cyber Security Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/symantec-security-advisory-av26-304