search cancel

Vulnerability scanner detects Symantec Endpoint Protection Manager as vulnerable to CVE-2021-40438

book

Article ID: 230040

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

During an audit you receive a report that Symantec Endpoint Protection Manager's are vulnerable to CVE-2021-40438 and you would like to know how to mitigate the issue.

Environment

Server 2012
Server 2016
Server 2019
Server 2022

with 

Symantec Endpoint Protection Manager:
14.3 RU1
14.3 RU1.MP1
14.3 RU2
14.3 RU3

Cause

Apache 2.4.48.694 used in current builds of Symantec Endpoint Protection Manager may appear in basic vulnerability audit reports for CVE-2021-40438 because the audit tool in use did no fully validate the Symantec Endpoint Protection Manager 'loaded modules' or 'properties.conf' settings file and erroneously flagged the device. 

Resolution

Symantec Endpoint Protection Manager 14.3 RU3 is not vulnerable to CVE-2021-40438 in its default state.  It only becomes vulnerable if you have modified the Symantec Endpoint Protection Manager properties.conf and manually set up a reverse proxy (details below).

How you become vulnerable to CVE-2021-40438::
CVE-2021-40438 requires an administrator with local Symantec Endpoint Protection Manager hard drive access to set up a reverse proxy per this KB - https://knowledge.broadcom.com/external/article/181483/enabling-mac-and-linux-clients-to-downlo.html 

If you have not executed the instructions in the above link,  you are not vulnerable as you must enable the function in the properties.conf manually to load the affected module.  Unmodified SEPMs operating in a default install state do not load these modules.  

2.4.48.694 is safe from CVE-2021-40438 as long as it is not being used as a reverse proxy per the KB outlined above.