SYM14-004 Endpoint Protection Manager vulnerability

Products

Endpoint Protection Network Access Control

Issue/Introduction

This article provides more information about the SYM14-004 Symantec Endpoint Protection Manager (SEPM) vulnerability.

Resolution

On Tuesday, February 18, SEC Consult Vulnerability Lab, an Austrian-based security consultancy, is planning to release an advisory to the public regarding vulnerabilities that it found within Symantec Endpoint Protection. For additional information on the SYM14-004 vulnerability, read the Symantec Security Response SYM14-004 Security Advisory.

Symantec product engineers have verified these issues and have released critical updates to resolve them. Currently Symantec is not aware of exploitation of or adverse impact on our customers due to this issue. However, customers must apply these updates to Symantec Endpoint Protection Manager 11.0 and 12.1 to ensure they remain protected.

Failure to install these critical updates to Symantec’s Endpoint Protection Manager may leave customers exposed to potential threats. Without the updates, Symantec Endpoint Protection Manager does not correctly validate external XML data being sent to the management console, and does not sufficiently sanitize local queries made against the database.

Mitigation

Upgrade to the latest build of Symantec Endpoint Protection

Symantec has released product updates for both Symantec Endpoint Protection Manager 12.1.x and Symantec Endpoint Protection Manager 11.0.x. To fully mitigate these vulnerabilities, update the management console to 11.0 RU7 MP4a (11.0.7405.1424) or 12.1 RU4a (12.1.4023.4080). To obtain the latest release, read the document Best practices for upgrading to the latest version of Symantec Endpoint Protection 12.1.x.

If you only have a license for Symantec Network Access Control, contact Symantec Technical Support to download the update.

Alternate mitigations

Symantec Security Response has released IPS signature 27273, " Web Attack: Symantec Endpoint Manager XXE", which detects and blocks HTTP attempts to exploit issues of this nature. Signatures are available through normal Symantec updates.

To temporarily mitigate the vulnerability before you upgrade the Symantec Endpoint Protection Manager console, you can block the affected ports with a firewall rule. However, if you block the ports, the management console loses specific functionality. You should review the implications prior to implementation.

Note: The ports mentioned below are the Symantec Endpoint Protection Manager default ports. If you have changed the communication ports, please alter the firewall rules appropriately.

Steps:

Add a firewall rule to block the specific port on the computer on which you installed Symantec Endpoint Protection Manager. This firewall rule should apply to all hosts and all applications.
To confirm that the rule applied successfully, simply telnet to the port. If you configured the rule correctly, the firewall successfully blocks traffic and does not permit a connection on the port.

Note: For instructions on creating a firewall rule using the Symantec Endpoint Protection client, please see HOWTO81156: Adding a new firewall rule. If you configure the policy from the Symantec Endpoint Protection Manager, you will need to wait for the policy to propagate to the Symantec Endpoint Protection client installed on the SEPM server prior to testing.

Port	Implication	Alternate Solution
9090 (web console port)	No access to Symantec Endpoint Protection Manager home page.	None
	Cannot download package to install remote Java console	Use local Symantec Endpoint Protection Manager console
	Cannot download server certificate (only 12.x)	SEPM server administrator may copy the server certificate for distribution
	Online help docs are unavailable	Use context-sensitive help in local console, or access Symantec Technical Support documentation via Symantec.com
8443 (named server port)	Cannot use remote Java or web console	Use local Symantec Endpoint Protection Manager console
	No replication	Make all policy or administration changes at each site
	Password Reset URL will not work (only 12.x)	Administrators with higher privileges (System Administrator\Administrator) can log in into local console and change password for any other admins required. System Administrator (full site control): can change for all administrators across enterprise. Administrator (domain control): can change for other domain administrators and limited administrators in the same domain.
	Cannot use Symantec Protection Center v1	None

Frequently asked questions

Q: Which versions of Symantec Endpoint Protection Manager does this vulnerability affect?

A: This vulnerability affects the following versions:

Symantec Endpoint Protection Manager 11.0 RTM to 11.0 RU7 MP4
Symantec Endpoint Protection Manager 12.0.x
Symantec Endpoint Protection Manager 12.1 RTM to 12.1 RU4
Symantec Endpoint Protection Manager Small Business Edition 12.1
Symantec Endpoint Protection Manager 2013 On-Premise

Q: Which versions of Symantec Endpoint Protection Manager resolve this vulnerability?

A: Symantec has released the following product updates to resolve the vulnerability:

Symantec Endpoint Protection 11.0 RU7 MP4a (11.0.7405.1424)
Symantec Endpoint Protection 12.1 RU4a (12.1.4023.4080)

Q: Where can I download the update?

A: You can download the Symantec Endpoint Protection Manager updates from Symantec File Connect.

Q: Can I install SEPM 12.1 RU4a or SEPM 11 RU7 MP4a over the version that is currently installed?

A: Yes. SEPM 11 RU7 MP4a can be installed over any previous version of SEPM 11, and SEPM 12.1 RU4a can be installed over any previous version of SEPM 11 or 12.1, including SEPM 11 RU7 MP4a.

Q: Am I required to update to the Symantec Endpoint Protection client?

A: No. Only the Symantec Endpoint Protection Manager requires an update. There are no client-side changes

Q: The file named Versions.txt within the 12.1 RU4a installation file I downloaded lists the SEPM version as 12.1.4013.4013. Does this mean I downloaded the wrong file?

A: No. The version information in Versions.txt was not updated with this release. You can confirm that you downloaded the correct file by checking the Properties of Setup.exe within the SEPM folder of the downloaded file. To do so, open the folder named SEPM, right-click Setup.exe, click Properties, click Details, and confirm that the file version is 12.1.4023.4080. If the version listed here is 12.1.4023.4080, you have downloaded the correct file.

Q: The file named Versions.txt within the 11 RU7 MP4a installation file I downloaded lists the SEPM version as 11.0.7400.1398. Does this mean I downloaded the wrong file?

A: No. The version information in Versions.txt was not updated with this release. You can confirm that you downloaded the correct file by checking the Properties of Setup.exe within the SEPM folder of the downloaded file. To do so, open the folder named SEPM, right-click Setup.exe, click Properties, click Details, and confirm that the product version is 11.0.7405.1424. If the product version listed here is 11.0.7405.1424, you have downloaded the correct file.

Q: The email I received from [email protected] states that administrators should upgrade to 12.4 RU4a. Is this a separate build?

A: The version specified in the email was incorrect. The correct version is 12.1 RU4a.