Number: IRCNE2014022105
Date: 2014/02/18
According to “zdnet”,the Internet Storm Center (ISC) at the SANS Institute is reporting a burst of scanning on ports used by Symantec Endpoint Protection Manager (SEPM) versions 11.0 and 12.1. The scanning appears aimed at building a list of systems vulnerable to a recently-disclosed vulnerability in the product.
Symantec disclosed the vulnerability on February 10 and released updates to SEPM. The fixed versions of the management console are 11.0 RU7 MP4a (11.0.7405.1424) or 12.1 RU4a (12.1.4023.4080).
The vulnerability results from erroneous parsing of XML data sent to the console, causing the console to send unsanitized queries to an internal database.
The console listens on TCP ports 8443 and 9090. Both ports are regularly scanned from across the Internet for vulnerabilities.
Symantec has also released an IPS signature to block HTTPS attacks using this vulnerability.
- 2