Security vendor Symantec had major vulnerabilities in its data centre security platforms that were identified in November 2014, and took six weeks to patch them.

Researcher Stefan Viehböck discovered the flaws in Symantec’s Critical System Protection (SCSP) 5.2.9. Viehböck first tipped Symantec off to the holes in November 2014. Symantec claimed to have plugged the holes in the week ending January 23rd 2015.

The vulnerabilities may have existed for months, because they were also found in the system’s predecessor, Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.

Hackers let in?

At worst, the lack of attention could have been used by hackers to access management servers and bypass client protection systems as they roamed the corporate network at will.

Viehböck’s analysis found an unauthenticated SQL injection (CVE-2014-7289) which granted attackers read and write access to database records and SYSTEM code execution privileges.

Another piece of malware found – a reflective cross-site scripting (CVE-2014-9224) – could have allowed attackers to steal other users’ sessions and gain access to the admin interface.

Another piece of implanted rogue coding could have published internal server application data which bypassed any authentication process. This would have opened up the file paths on Symantec’s web servers and exposed version information (on operating systems and Java for example that could have been used by criminals).

Customers have been advised to apply patches for any as yet unfixed breaches.

However Viehböck, a researcher at SEC Consult, advised users not to use the products until a full security audit has been conducted and all identified issues solved.

“Attackers can completely compromise the server and gain access at the system and database level, [so] they can manage all clients and their policies,” Viehböck wrote in a briefing issued by SEC Consult.