Attackers scanning for Symantec Endpoint Protection Manager flaw

Attackers scanning for Symantec Endpoint Protection Manager flaw

Summary: Someone is scanning the Internet for systems vulnerable to a recently-disclosed flaw in Symantec Endpoint Protection Manager.

TOPICS: Security

The Internet Storm Center (ISC) at the SANS Institute is reporting a burst of scanning on ports used by Symantec Endpoint Protection Manager (SEPM) versions 11.0 and 12.1. The scanning appears aimed at building a list of systems vulnerable to a recently-disclosed vulnerability in the product.

Symantec disclosed the vulnerability on February 10 and released updates to SEPM (click here for instructions on how to apply updates). The fixed versions of the management console are 11.0 RU7 MP4a (11.0.7405.1424) or 12.1 RU4a (12.1.4023.4080).

The vulnerability results from erroneous parsing of XML data sent to the console, causing the console to send unsanitized queries to an internal database. Note that Symantec says that "[o]n Tuesday, February 18, SEC Consult Vulnerability Lab, an Austrian-based security consultancy, is planning to release an advisory to the public regarding vulnerabilities that it found within Symantec Endpoint Protection."

The console listens on TCP ports 8443 and 9090. Both ports are regularly scanned from across the Internet for vulnerabilities, but on February 7th the ISC detected a marked increase in scanning. Only two IP addresses are being used in the scans, scanning port 8443 and on port 9090.

Symantec has also released an IPS signature to block HTTPS attacks using this vulnerability.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Should be internet facing

    Why would someone allow this to be internet facing anyway? Hopefully within the next few weeks il be moving to VIPRE anyway because lets face it, SEP is as useless as t1tts on a bull.
    if anyone wants a uninstall batch file that will remove any version of SEP ill paste it here, just through it on a Startup through GPO and bingo!
    • Should not be internet facing

      Edit title.