Today, Symantec released a new security advisory impacting older versions of the Symantec Endpoint Protection Manager (SEPM). Product engineering teams have worked closely with SEC Consult Vulnerability Lab and @virtualminds_es to verify the vulnerabilities. The latest release, SEPM 12.1.5, is available on FileConnect and contains updates that prevent the issues and should be installed to prevent infection.
The issues affect XML External Entity Injection, reflected cross-site scripting and the potential for arbitrary file write/overwrite. The vulnerabilities are considered medium to high severity. With normal SEPM installation the affected port(s) should not be accessible without gaining initial access to the network. Successful exploitation of these vulnerabilities could result in unauthorized user-level access to the SEPM, elevated or application-level access on a server, or network/system access.
If you’re unable to update to 12.1.5 (RU5) immediately, a SEP administrator has two options:
- Restrict web console access to localhost
- Disable web console access available under https://localhost:8443/console
To date, Symantec is not aware of exploitation of or adverse customer impact from these issues. Further details regarding the vulnerabilities should be reviewed in the advisory.