This article provides more information about the SYM14-004 Symantec Endpoint Protection Manager (SEPM) vulnerability.
On Tuesday, February 18, SEC Consult Vulnerability Lab, an Austrian-based security consultancy, is planning to release an advisory to the public regarding vulnerabilities that it found within Symantec Endpoint Protection. For additional information on the SYM14-004 vulnerability, read the Symantec Security Response SYM14-004 Security Advisory.
Symantec product engineers have verified these issues and have released critical updates to resolve them. Currently Symantec is not aware of exploitation of or adverse impact on our customers due to this issue. However, customers must apply these updates to Symantec Endpoint Protection Manager 11.0 and 12.1 to ensure they remain protected.
Failure to install these critical updates to Symantec’s Endpoint Protection Manager may leave customers exposed to potential threats. Without the updates, Symantec Endpoint Protection Manager does not correctly validate external XML data being sent to the management console, and does not sufficiently sanitize local queries made against the database.
Upgrade to the latest build of Symantec Endpoint Protection
Symantec has released product updates for both Symantec Endpoint Protection Manager 12.1.x and Symantec Endpoint Protection Manager 11.0.x. To fully mitigate these vulnerabilities, update the management console to 11.0 RU7 MP4a (11.0.7405.1424) or 12.1 RU4a (12.1.4023.4080). To obtain the latest release, read the document Best practices for upgrading to the latest version of Symantec Endpoint Protection 12.1.x.
If you only have a license for Symantec Network Access Control, contact Symantec Technical Support to download the update.
Alternate mitigations
Steps:
To confirm that the rule applied successfully, simply telnet to the port. If you configured the rule correctly, the firewall successfully blocks traffic and does not permit a connection on the port.
Note: For instructions on creating a firewall rule using the Symantec Endpoint Protection client, please see HOWTO81156: Adding a new firewall rule. If you configure the policy from the Symantec Endpoint Protection Manager, you will need to wait for the policy to propagate to the Symantec Endpoint Protection client installed on the SEPM server prior to testing.
Port
|
Implication
|
Alternate Solution
|
9090
(web console port)
|
No access to Symantec Endpoint Protection Manager home page.
|
None
|
Cannot download package to install remote Java console
|
Use local Symantec Endpoint Protection Manager console
|
|
Cannot download server certificate (only 12.x)
|
SEPM server administrator may copy the server certificate for distribution
|
|
Online help docs are unavailable
|
Use context-sensitive help in local console, or access Symantec Technical Support documentation via Symantec.com
|
|
8443
(named server port)
|
Cannot use remote Java or web console
|
Use local Symantec Endpoint Protection Manager console
|
No replication
|
Make all policy or administration changes at each site
|
|
Password Reset URL will not work (only 12.x)
|
Administrators with higher privileges (System Administrator\Administrator) can log in into local console and change password for any other admins required.
System Administrator (full site control): can change for all administrators across enterprise.
Administrator (domain control): can change for other domain administrators and limited administrators in the same domain.
|
|
Cannot use Symantec Protection Center v1
|
None
|
Q: Which versions of Symantec Endpoint Protection Manager does this vulnerability affect?
A: This vulnerability affects the following versions:
Symantec Endpoint Protection Manager 11.0 RTM to 11.0 RU7 MP4
Symantec Endpoint Protection Manager 12.0.x
Symantec Endpoint Protection Manager 12.1 RTM to 12.1 RU4
Symantec Endpoint Protection Manager Small Business Edition 12.1
Symantec Endpoint Protection Manager 2013 On-Premise
Q: Which versions of Symantec Endpoint Protection Manager resolve this vulnerability?
A: Symantec has released the following product updates to resolve the vulnerability:
Symantec Endpoint Protection 11.0 RU7 MP4a (11.0.7405.1424)
Symantec Endpoint Protection 12.1 RU4a (12.1.4023.4080)
Q: Where can I download the update?
A: You can download the Symantec Endpoint Protection Manager updates from Symantec File Connect.
Q: Can I install SEPM 12.1 RU4a or SEPM 11 RU7 MP4a over the version that is currently installed?
A: Yes. SEPM 11 RU7 MP4a can be installed over any previous version of SEPM 11, and SEPM 12.1 RU4a can be installed over any previous version of SEPM 11 or 12.1, including SEPM 11 RU7 MP4a.
Q: Am I required to update to the Symantec Endpoint Protection client?
A: No. Only the Symantec Endpoint Protection Manager requires an update. There are no client-side changes
Q: The file named Versions.txt within the 12.1 RU4a installation file I downloaded lists the SEPM version as 12.1.4013.4013. Does this mean I downloaded the wrong file?
A: No. The version information in Versions.txt was not updated with this release. You can confirm that you downloaded the correct file by checking the Properties of Setup.exe within the SEPM folder of the downloaded file. To do so, open the folder named SEPM, right-click Setup.exe, click Properties, click Details, and confirm that the file version is 12.1.4023.4080. If the version listed here is 12.1.4023.4080, you have downloaded the correct file.
Q: The file named Versions.txt within the 11 RU7 MP4a installation file I downloaded lists the SEPM version as 11.0.7400.1398. Does this mean I downloaded the wrong file?
A: No. The version information in Versions.txt was not updated with this release. You can confirm that you downloaded the correct file by checking the Properties of Setup.exe within the SEPM folder of the downloaded file. To do so, open the folder named SEPM, right-click Setup.exe, click Properties, click Details, and confirm that the product version is 11.0.7405.1424. If the product version listed here is 11.0.7405.1424, you have downloaded the correct file.
Q: The email I received from [email protected] states that administrators should upgrade to 12.4 RU4a. Is this a separate build?
A: The version specified in the email was incorrect. The correct version is 12.1 RU4a.