Our investigation indicates that MC 3.x is vulnerable to CVE-2020-1971, but only when an authenticated administrator user does both of the following:
- installs a malicious certificate revocation list (CRL)
- configures MC to connect to a custom, non-Symantec SSL server, e.g. to download or upload files, and that server is configured with a malicious SSL server certificate
Customers can do the following to temporarily remediate this vulnerability:
- if importing CRLs into MC for certificate revocation, only import CRLs obtained in a secure manner from a trusted certificate authority (CA)
- if using custom SSL servers for MC to download files from or upload files to, configure the SSL servers only with SSL certificates generated in a trusted manner
A permanent fix for this CVE will also be provided in a future MC release.