Video Screencast Help
Endpoint Security Blog

Security Advisory for SEP Management Vulnerabilities

Created: 13 Feb 2014 • Updated: 14 Feb 2014 • 18 comments
torsten_knorr's picture
+1 1 Vote
Login to vote

BCS SECURITY NEWSFLASH.jpg

Symantec Product Security has posted SYM14-004 - Product Security Advisory for Symantec Endpoint Protection Management Vulnerabilities

 

  • A Security Advisory has been posted.
     
  • This is a High Severity Advisory which identifies multiple vulnerabilities in the Symantec Endpoint Protection Manager.
    A BCS Bulletin is being sent.
     
  • While there are no known exploits taking advantage of this vulnerability, Symantec is urging all customers to update their managers to the latest version, Symantec Endpoint Protection Manager 12.1 RU4a, as soon as possible. Clients are not affected and do not need to be updated. As part of normal best practices, Symantec strongly recommends keeping all operating systems and applications updated with the latest vendor patches.  
     
  • For detailed information on this vulnerability including the products and builds affected and information on obtaining an updated build, please review the advisory at:
    http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00
     
  • As part of normal best practices, Symantec strongly recommends keeping all operating systems and applications updated with the latest vendor patches. For additional information on this and any other recent advisories, please visit the Symantec Advisory page at: http://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory
     
  • Additionally Symantec has released IPS signature 27273 to detect and help mitigate this exploit. Symantec recommends enabling all functionality within Symantec Endpoint Protection for maximum security.
     
  • If you are not able to update at this time, there are mitigations. Symantec’s recommended configuration for Symantec Endpoint Protection Manager is that it not be externally accessible which would limit potential exploits. You can configure your firewall to block external access to the vulnerable components. Please refer to TECH214866 for ramifications of blocking these ports.

For any open cases on this issue, please link to the document below:
http://www.symantec.com/business/support/index?page=content&id=TECH214866

Update Information

Symantec Endpoint Protection Manager update versions 11.0 RU7-MP4a (11.0.7405.1424) and 12.1 RU4a (12.1.4023.4080) are available from Symantec File Connect.

The following picture, shows the section within Symantec File Connect.

SEP 12.1.4a.PNG

 

 

Comments 18 CommentsJump to latest comment

GG1's picture

I've downloaded the 12.1 RU4a (12.1.4023.4080). applied the update to a server with sepm 12.1.3001.165. however on reboot, I still have the same version of sepm 12.1.3001.165.

although the unmanaged client part SEP of the server was upgraded  to 12.1.4.4013.4013 as per the version text in the part1atool pkg.

should I try download again? and which one

 

 

0
Login to vote
pete_4u2002's picture

you might have upgraded only client, upgrade the manager

0
Login to vote
GG1's picture

thx but when I tried I get symantec endpoint Protection manager has detected that there are pending system changes that require a reboot. please reboot.... and retry the installation.

the above msg was no problem, reboot, tried again I got the same msg.

reboot and tried again same msg. what can I do?

 

0
Login to vote
pete_4u2002's picture

can you check

SEPM Upgrade fails with the message "Pending system changes that require a reboot have been detected"

Article:TECH180855  |  Created: 2012-02-07  |  Updated: 2012-07-28  |  Article URL http://www.symantec.com/docs/TECH180855

 

0
Login to vote
Chetan Savade's picture

Hi,

Prior to make any changes into the registry take the backup.

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager --> Find string & delete if exist "PendingFileRenameOperations registry"

See if it helps.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
GG1's picture

thx, I found "PendingFileRenameOperations". export the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager and then deleted "PendingFileRenameOperations".

tried the setup from part1a to install the mgmt... that seems to get me a lot further. it let me start the database backup ( long long time to finish),

would be nice that it would have allowed me the option of not installing the web mgmt console through.

 

two last questions:

how can I disable the web component?

I found quite a few pc got offline after I manually upgraded them and reboot. do I have to delete the pc from mgmt console and added them again to get them online?

0
Login to vote
Chetan Savade's picture

Hi,

Q. how can I disable the web component?

-->  What exactly you are looking to disable? want to disable SEPM web cosole?

Q. I found quite a few pc got offline after I manually upgraded them and reboot. do I have to delete the pc from mgmt console and added them again to get them online?

--> Ideally clients should not go offline after an upgrade, if deleted PC from mgmt console won't make difference.

Check the package settings you applied while doing an upgrade.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
GG1's picture

thx,

I would like disable SEPM web cosole

0
Login to vote
GG1's picture

nice to know.

however following the article, I was unable to disable external webaccess only without disabling the console login at the pc where protection manager is installed

I ended up putting firewall restriction on the port 9090 on the pc where the protection manger is installed

0
Login to vote
Chetan Savade's picture

Web access uses fix port 9090 and putting firewall restriction on the same port looks better approach to me as well.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
pete_4u2002's picture

the client should report to SEPM as you may not have changed certificates.

monitor for some time.

0
Login to vote
GG1's picture

5 of them now reports as online but the others still offline

0
Login to vote
Chetan Savade's picture

After SEPM upgrade it takes time to clients come online. You can keep it under monitor for sometime.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
Doraemon's picture

Hi All,

 

Kindly assist me in this issue.how can i download the 27273 IPS Definition in SEPM 11.x.x please see attached image for the installed IPS def and Update version of SEPM

 

 

Thanks

IPS.jpg Virus definition.png
0
Login to vote
.Brian's picture

There is no sig for 27273

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
Doraemon's picture

Hi _Brian

what can i do to make our customer protected to the vulnerabilities in SEPM?can someone gave me a procedure on how to create a firewall policy for 8443 and 9090. i tried to create a policy in my lab but but after updating my sep client in SEPM it doesnt allowed me to log in

 

Thanks

Dean

0
Login to vote
torsten_knorr's picture

Hi Dean,

 

you have to check a few things first:

Did you read this table below, this explains the necessary steps before you creating the Firewall policy.

Exceptions for SEP-Admin-PC or second SEPM.

It explains also, why you are unable to login, after you have applied the FW-Policy.

 

Port
Implication
Alternate Solution
9090
(web console port)
No access to Symantec Endpoint Protection Manager home page.
None
Cannot download package to install remote Java console
Use local Symantec Endpoint Protection Manager console
Cannot download server certificate (only 12.x)
SEPM server administrator may copy the server certificate for distribution
Online help docs are unavailable
Use context-sensitive help in local console, or access Symantec Technical Support documentation via Symantec.com
8443
(named server port)
Cannot use remote Java or web console
Use local Symantec Endpoint Protection Manager console
No replication
Make all policy or administration changes at each site
Password Reset URL will not work (only 12.x)
Administrators with higher privileges (System Administrator\Administrator) can log in into local console and change password for any other admins required.
System Administrator (full site control): can change for all administrators across enterprise.
Administrator (domain control): can change for other domain administrators and limited administrators in the same domain.
Cannot use Symantec Protection Center v1
None

 

0
Login to vote