Symantec Endpoint Protection Manager Multiple Issues


Systems Affected


Threat Level



The management console for Symantec Endpoint Protection Manager (SEPM) is susceptible to multiple vulnerabilities including XML External Entity Injection, reflected cross-site scripting and the potential for arbitrary file write/overwrite.


The management console for Symantec Endpoint Protection Manager (SEPM) does not properly validate incoming XML data, which could potentially allow unauthorized access to restricted server-side data and to potentially leverage additional console management functionality. An attempt to exploit this type of vulnerability would require any attacker to successfully impersonate or hijack the input source of external information/updates for SEPM or to be able to successfully inject their arbitrary XML code into an incoming XML stream.

SEPM is also susceptible to reflected XSS issues existing in the interface scripts used to manage the console. The management console does not provide sufficient validation/sanitation of incoming input. Successful targeting could allow an unauthorized individual to steal the session cookies or hijack the browser session being used to manage the console. This could potentially allow unauthorized user-level access to the management console.

Arbitrary file write vulnerability in the ConsoleServlet could allow an attacker to write or overwrite arbitrary files in the context of the web server. This is due to improper filtering of user-supplied data to the logging component. This could possibly allow arbitrary code to be written to the log file and potentially to disk. This attempt would likely result in a denial of service server disruption. However, if successful, this could lead to unauthorized elevated access on the server.

In a recommended installation, the Symantec Endpoint Protection Manager server should not be accessible external to the network which would still allow internal attack attempts from malicious non-privileged users but should restrict external attack attempts. However, a malicious, non-authorized individual could leverage known methods of trust exploitations to compromise a client user in an attempt to gain network/system access. These exploitation attempts generally require enticing a previously authenticated user to access a malicious link in a context such as a web link or in an HTTP email.

The potential to leverage the remote access XXE vulnerabilities to facilitate further attempts against local access functionality could increase the overall severity of a successful attack against the application. A successful attack could potentially allow application-level access to the server.


Access Privileged Data -- Remote/Unauthenticated
Overwrite Arbitrary Files -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction

Solution/ Workarounds

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.