Prevent denial of service attack in Symantec Endpoint Protection

book

Article ID: 157906

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Vulnerability scanners report that the Symantec Endpoint Protection Manager (SEPM) is vulnerable to denial of service exploits CVE-2007-6750, and CVE-2009-5111.

Resolution

This problem is fixed in Symantec Endpoint Protection 12.1 Release Update 4 (SEP 12.1.4).  To obtain the latest version of SEP, see Download the latest version of Symantec Endpoint Protection.

 

If you cannot upgrade, work around the problem by implementing mod_reqtimeout.so in the SEPM Apache server. This workaround only applies to 12.1.2 or newer managers. There is no workaround available for pre-12.1.2 managers.

Warning: If you implement the workaround, you must re-apply the workaround after migrating to 12.1.2.1 or 12.1.3. You will not need to reapply the workaround after migrating to 12.1.4 or later.

  1. Download and save to disk the mod_reqtimeout.so module attached to this document.
     
  2. Copy the file into the %SEPM_Install_Dir%\apache\modules directory.
    Note: On most systems, the default SEPM installation directory is C:\Program Files\Symantec\Symantec Endpoint Protection Manager.
     
  3. Open %SEPM_Install_Dir%\apache\conf\httpd.conf with a plain text editor such as Notepad, and then add the following lines to the bottom:
     
    LoadModule reqtimeout_module modules/mod_reqtimeout.so
    <IfModule reqtimeout_module>
    RequestReadTimeout header=20-30,MinRate=256 body=100-120,MinRate=512
    </IfModule>

     
    Note: The default configuration settings for mod_reqtimeout are basic settings. You may want to further adjust them for your needs. For more info, see the following page:
    http://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
     
  4. Restart the Symantec Endpoint Protection Manager Webserver service.

 

Note: Symantec does not provide Antivirus (AV), SONAR or Intrusion Prevention System (IPS) signatures specifically to protect against CVE-2007-6750, or CVE-2009-5111.

Attachments

mod_reqtimeout.so get_app