Exploitation for Priv-Esc × Broadcom (Symantec) Symantec Data Loss Prevention for Windows

A publicly-reported instance of Exploitation for Priv-Esc bypassing Broadcom (Symantec) Symantec Data Loss Prevention for Windows, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Broadcom (Symantec) Symantec Data Loss Prevention for Windows

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-01-26

Config / version noted

Yes

Provenance

cve.armis.com
disclosed 2024-01-26 · original source · via exa

Reported as

A stack-based buffer overflow vulnerability in Symantec Data Loss Prevention for Windows allows unauthenticated remote code execution.

Mechanism

Stack-based buffer overflow in the WP6SR DLL of Symantec DLP for Windows. An attacker crafts a malicious document; when opened by a user, it triggers the overflow, enabling arbitrary code execution with no authentication required. Defeats the DLP endpoint agent's integrity, potentially allowing data exfiltration or system compromise.

Detection & mitigation

Monitor for unexpected child processes spawned by the Symantec DLP agent process (e.g., cmd.exe, powershell.exe) or anomalous network connections from it. Apply the vendor patch immediately and restrict document handling from untrusted sources.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.