Endpoint Protection

We just upgraded from RU5 to RU6, and first thing I know our IS department tells me the server is now popping up with new vulnerabilities on port 8443/tcp and 9090/tcp. After a quick check on the box I confirm the ports in question are the new Symantec Protection Center (https://localhost:8443/portal) and Symantec Endpoint Protection Manager Web Access (http://localhost:9090/symantec.jsp). Web Server Vulnerable to Cross-Site Scripting Attacks Is this a known issue and/or is there a fix?

I would get more info from your team then put a call into Symantec support.

What excatly is your  IS department telling you? Is it that the server is getting attacked on port 8443 and port 9090?

We have performed extensive testing with the SEPM (and changed the way certain features work) to fix some issues prior to RU6, but if you believe there is still an issue with the SEPM then please feel free to contact secure@symantec.com with your concerns and they will work with our engineering and PM team to determine if there is a problem and then get it fixed.

It could be a case that the version of tomcat we are using has known issues, but only in certain modules, which we probably aren't using.  Bear in mind that 9090 and 8443 have always been in use, and apart from hosting new services in RU6 onwards, the versions, etc. haven't changed.

If you're not publishing your server to the public Internet via NAT, and this is ONLY an internal server, generally speaking this should be a low priority vulnerability IMO.  Any good perimeter firewall with proper ACL's is going to prevent this attack from happening.

 

Though, it would be nice if the MR/RU builds would fix outdated builds of Apache, TomCat, PHP, etc at the same time as a product update...

The issue was detected by a network vulnerability scan.  This is new to our RU6 upgrade, it wasn't detected on the previous version.

Web Server Vulnerable to Cross-Site Scripting Attacks port 8443/tcp (and 9090/tcp...)
 

THREAT:
    Your Web server does not filter script embedding from links displayed on a server's Web site.

    A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded script is executed in the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated from another site entirely).
IMPACT:
    By exploiting this vulnerability, malicious scripts can be executed in the client's browser.
 

I've noticed this as well and have 'fixed' it by removing the landing pages that are vulnerable.

In this folder: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\scm

 

Rename symantec.html and symantec.jsp to symantec.html.old and symantec.jsp.old (or delete if you prefer)

I believe this page is just the landing page that allows users to install the console - so you don't really need it unless you plan on sending users there to install the console.

 

Thanks, Matt.  Tried this out as a test and we did get the clean bill of health from the scan.

 

Symantec, any plans on addressing this programatically?  Maybe using a version of Tomcat that hasn't been EOL'd?

We do have plans to upgrade to a much newer version of tomcat with our next major release, yes.

In the meantime, the secure folks are still working through the issue with our engineering team to confirm exactly what the problem is and whether it is exploitable or not.

When they have more information, and a way forward they will be in touch with you.