CVE-2013-1609 Symantec CVE debrief

Who should care

Administrators and security teams responsible for Symantec Enterprise Vault for File System Archiving deployments on Windows should prioritize this issue, especially where untrusted local users may have account access on the host.

Technical summary

The flaw is an unquoted service path problem in two Windows services: File Collector and File PlaceHolder. Because the service command path was not properly quoted, Windows could search and launch a malicious executable placed earlier in the path by a local user, resulting in privilege escalation. NVD lists the weakness as an other-category issue and rates the vector as local, low complexity, with some user interaction/authentication required.

Defensive priority

Medium. This is a local privilege escalation rather than a remote network flaw, but it can still materially impact host integrity if lower-privileged users can access the system.

Recommended defensive actions

• Upgrade Symantec Enterprise Vault for File System Archiving to 9.0.4 or later, or 10.0.1 or later.
• Audit the File Collector and File PlaceHolder service configurations to confirm executable paths are quoted correctly.
• Restrict local write access on directories that appear in service search paths.
• Review affected hosts for unexpected executables or service-related persistence artifacts.
• Apply least-privilege principles so untrusted users cannot create files in sensitive service directories.
• Validate patching against the vendor advisory and NVD entry before returning systems to service.

Evidence notes

The debrief is based on the NVD CVE record and the linked Symantec advisory reference. NVD describes the issue as multiple unquoted Windows search path vulnerabilities affecting Symantec Enterprise Vault for File System Archiving before 9.0.4 and 10.x before 10.0.1. The NVD record also lists the affected CPEs and a local CVSS vector (AV:L/AC:L/Au:S/C:C/I:C/A:C).

Official resources