Symantec Endpoint Protection Manager 12.1.x < 12.1 RU6 MP5 Multiple Vulnerabilities (SYM16-011)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The version of Symantec Endpoint Protection Manager installed on the
remote host is affected by multiple vulnerabilities.

Description :

The version of Symantec Endpoint Protection Manager (SEPM) installed
on the remote host is prior to 12.1 RU6 MP5. It is, therefore,
affected by the following vulnerabilities :

- A race condition exists in the SEP client that allows a
local attacker to bypass security restrictions,
resulting in the ability to download or upload files on
the client system. (CVE-2015-8801)

- A server-side request forgery vulnerability exists in
the authentication interface that allows an attacker to
bypass access controls and scan unauthorized content on
the internal network. (CVE-2016-3647)

- An unspecified flaw exists that allows an attacker to
bypass lock threshold limits, resulting in the ability
to recover management console passwords using
brute-force methods. (CVE-2016-3648)

- An unspecified flaw exists when handling GET object
requests that allows an attacker to disclose information
related to valid administrator accounts. (CVE-2016-3649)

- An unspecified flaw exists that allows an attacker to
disclose server credentials. (CVE-2016-3650)

- An unspecified flaw exists related to PHP JSESSIONID
that allows an attacker to execute arbitrary code.
(CVE-2016-3651)

- Multiple cross-site scripting vulnerabilities exist due
to improper validation of user-supplied input to the
'createModalDialogFromURL', 'createWindowFromURL',
'createWindowFromForm', and 'createIEWindowFromForm'
parameters in the notificationpopup.php script. An
unauthenticated, remote attacker can exploit these
issues, via a specially crafted request, to execute
arbitrary script code in a user's browser session.
(CVE-2016-3652)

- A cross-site request forgery vulnerability exists in the
sr-save.php script due to a failure to require multiple
steps, explicit confirmation, or a unique token when
performing certain sensitive actions. An
unauthenticated, remote attacker can exploit this, via a
specially crafted link, to cause a user to send schedule
reports. (CVE-2016-3653)

- A flaw exists in the externalurl.php script due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this, via a
specially crafted link, to redirect a user to an
arbitrary website. (CVE-2016-5304)

- An unspecified flaw exists in a PHP script that allows
an attacker to conduct DOM-based link manipulation.
(CVE-2016-5305)

- An information disclosure vulnerability exists due to a
failure to enable HTTP Strict Transport Security on port
8445. (CVE-2016-5306)

- A directory traversal vulnerability exists in the
management console that allows an attacker to access
files and directories on the web root. (CVE-2016-5307)

See also :

http://www.nessus.org/u?9ff09b0f
http://www.nessus.org/u?a965f2f9
http://www.nessus.org/u?f0891bf6

Solution :

Upgrade to Symantec Endpoint Protection Manager version 12.1 RU6 MP5
or later.

Risk factor :

Medium / CVSS Base Score : 6.0
(CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now