CVE-2020-5820: 
Symantec Endpoint Protection vulnerability analysis and mitigation

CVE-2020-5820 is a privilege escalation vulnerability affecting Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE) versions prior to 14.2 RU2 MP1 and 14.2.5569.2100 respectively. The vulnerability was discovered by researcher Z0mb1E working with Trend Micro Zero Day Initiative and was publicly disclosed on February 11, 2020 (Broadcom Support, ZDI Advisory).

The vulnerability exists within the AvHostPlugin.dll component and stems from improper validation of user-supplied data, which can result in a write operation before the start of an allocated buffer. The vulnerability has been assigned a CVSS v3 score of 7.8 (High) with the following vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. To exploit this vulnerability, an attacker must first obtain the ability to execute low-privileged code on the target system (ZDI Advisory).

Successful exploitation of this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM, potentially gaining elevated access to resources that are normally protected from an application or user (Broadcom Support).

Symantec has released updates to address this vulnerability through SEP 14.2 RU2 MP1 (14.2.5569.2100) and SEP SBE 14.2 RU2 MP1 (14.2.5569.2100). Additionally, a refresh of 14.2 RU2 (14.2.5334.2000) was released on February 10, 2020. Recommended mitigation measures include restricting access to administrative systems, running under the principle of least privilege, keeping systems current with vendor patches, and deploying network and host-based intrusion detection systems (Broadcom Support).