CVE-2024-23617 – A buffer overflow vulnerability in Symantec Dat... (How to Fix)

Q: What is the severity of CVE-2024-23617?

CVE-2024-23617 has a CVSS score of 9.6 (CRITICAL). A buffer overflow vulnerability in Symantec Data Loss Prevention allows remote, unauthenticated attackers to execute arbitrary code by tricking users into opening malicious documents. This affects versions 14.0.2 and earlier, potentially compromising entire systems.

📋 TL;DR

A buffer overflow vulnerability in Symantec Data Loss Prevention allows remote, unauthenticated attackers to execute arbitrary code by tricking users into opening malicious documents. This affects versions 14.0.2 and earlier, potentially compromising entire systems.

💻 Affected Systems

Products:

Symantec Data Loss Prevention

Versions: 14.0.2 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability resides in wp6sr.dll component; exploitation requires user interaction with malicious document.

📦 What is this software?

Symantec Data Center Security Server by Broadcom

View all CVEs affecting Symantec Data Center Security Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the affected machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to malware installation, data exfiltration, or system disruption.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and application whitelisting are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to get user to open malicious document; technical exploitation is straightforward once document is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.0.3 or later

Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/246823

Restart Required: Yes

Instructions:

1. Download and install Symantec Data Loss Prevention version 14.0.3 or later from Broadcom support portal. 2. Apply patch to all affected systems. 3. Restart systems to complete installation.

🔧 Temporary Workarounds

Document Type Restrictions

all

Block or restrict processing of suspicious document types via DLP policies.

User Awareness Training

all

Train users to avoid opening unexpected or suspicious documents.

🧯 If You Can't Patch

Implement network segmentation to isolate DLP systems from critical assets.
Deploy application control/whitelisting to prevent execution of unauthorized code.

🔍 How to Verify

Check if Vulnerable:

Check Symantec DLP version via Control Center or command line: 'dlp version' or examine installed programs list.

Check Version:

dlp version

Verify Fix Applied:

Verify version is 14.0.3 or later using same methods; check patch installation logs.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from DLP components
Crash logs involving wp6sr.dll
Failed document processing attempts

Network Indicators:

Outbound connections from DLP systems to unknown IPs post-document processing

SIEM Query:

source="dlp_logs" AND (event_id="process_creation" AND parent_process="wp6sr.dll") OR (event_id="crash" AND module="wp6sr.dll")

📊 Metadata

CVE ID: CVE-2024-23617

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-119

Published: January 26, 2024

Last Updated: November 21, 2024

🔗 References

https://blog.exodusintel.com/2024/01/25/symantec-data-loss-prevention-wp6sr-dll-stack-buffer-overflow-remote-code-execution/ Third Party Advisory
https://blog.exodusintel.com/2024/01/25/symantec-data-loss-prevention-wp6sr-dll-stack-buffer-overflow-remote-code-execution/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23617, you might also want to check these: