Video Screencast Help

Discovered Vulnerabilities on SEPM 12.1 RU1 MP1

Created: 18 Feb 2013 | 14 comments
Mohammad Ashkaibi's picture

Hello

My customer has McAfee Vulnerability Manager (formerly Foundstone) and they discovered two (2) HTTP denial-of-service vulnerabilities in their SEPM 12.1 RU1 MP1 related to the Apache Tomcat server on which SEPM is built. One of those vulnerabilities is CVE-2009-5111 (I can provide the other as soon as I have it).

Has anyone ever run into a similar scenario? Unfortunately, the release notes for SEP 12.1.2 (or even prior versions) doesn't mention having those vulnerabilities remediated. What should I do? Would contacting Tech Support yield any help?

Thanks.

 

- Moh

Comments 14 CommentsJump to latest comment

.Brian's picture

I believe there was a previous thread a few days ago with this.

You would need to call support to find out if you can upgrade only the DB or go to RU2

Symantec is likely aware and has the fix or workaround

Check this link as it provides all security advisories for Symantec. Perhaps you can find what you need here:

https://www.symantec.com/security_response/securit...

CVE-2009-5111 seems to be related to GoAhead Webserver, not sure this applies to SEPM

https://web.nvd.nist.gov/view/vuln/detail?vulnId=C...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohammad Ashkaibi's picture

So.. there's something to it, huh? I will call Support to find out what to do, or at least what to report back to the customer. Thanks for the reply and advice.

In the mean time, here's the vuln. description to check out. Needless to say, I cannot follow their recommendation, otherwise I might render SEPM malfunctioning. indecision

 

A denial of service vulnerability is present in some HTTP servers.

Observation

Apache HTTP Server is a widely used Web server. Apache -and other Web servers- bound each connection to a different process or thread. A denial of service vulnerability is present in some HTTP servers. The DoS occurs because the server allows incomplete connections to stay open for an unnecessary period of time. Processes are a limited resource, and thus the server cannot have infinite connections but instead a limited number of clients connected at the same time. The attacker will create multiple slow incomplete connection requests to the server causing it to reach the connections limit and make the server to stop responding to other legit requests.

Recommendation

Download the latest version of Apache HTTP Server from the following location: http://httpd.apache.org/download.cgi A workaround to this, although not a final solution, is to decrease the Timeout setting for Apache to 10 seconds or less, instead of the default 5 minutes. Particular considerations have to be considered depending on each organization and the type of clients expected to connect to their web servers. For example, the timeout and minimum data rate for receiving requests can be set by enabling the apache module "mod_reqtimeout", http://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html HTTP servers that use the asynchronous I/O technique are not vulnerable to this attack. Some of those servers are: lighttpd, nginx, Apache's experimental event MPM, IIS 6, IIS7,

 

- Moh

.Brian's picture

Is this the same CVE from your first post?

If so, SEPM should not be affected, at least per the notes

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

CVE-2009-5111 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5111

This is in reference to GoAhead WebServer allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

When you Run the same application on SEP 12.1 RU2 does it show anything in reference to CVE-2009-5111?

I would rather go for a Nessus vulnerability scan.

In case of any doubts, please Create a Case with Symantec Technical Support.

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SebastianZ's picture

Vulnerability CVE-2009-5111 - GoAhead WebServer allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

It doesn't list any Symantec products affected.

http://cvedetails.com/cve-details.php?t=1&cve_id=C...

Mohammad Ashkaibi's picture

Thanks for the replies, Mithun & Sebastian, but does it mean this might be a false positive, or McAfee's scanner is not playing nicely?

Honestly I didn't have the chance to look that up myself until after your posts...

 

- Moh

Mithun Sanghavi's picture

Hello,

It seems you are have been either mis-communicated /guided.

I would suggest you to Migrate to the Latest version of SEP 12.1 RU2 as well as Run the Nessus Vulnerability Scanner.

http://www.tenable.com/products/nessus

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

It would appear it didn't identify between Apache and Goahead, just assumed it was Apache. Than makes the reference to an "HTTP" server as if to mean "All HTTP servers". Seems confusing to me.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohammad Ashkaibi's picture

Guys, does this mean that McAfee has something wrong (or possibly dirty) in their vulnerability database? In their CVE description they clearly mention it is related to Apache (among other web servers). I'm getting really confused.

BTW, the other vulnerability detected on SEPM is CVE-2007-6750

Thanks

 

- Moh

.Brian's picture

Basically, it appears to identify it but gives the wrong product name. Overall, Apache probably needs to be patched but only Symantec can tell you if you can upgrade Apache only.

If you can, I would upgrade to 12.1 RU2 as I know if had a few fixes for these bugs related to Apache

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohammad Altaf Khan's picture

The same vulnerability detect on our SEPM 12 server.

We use the Same Vulnerability Scanner MacAfee  Foundstone Ver 7.5

Symantec Confirm the Vulnerability and they are looking for work around from last 20 days.

Case: 04025791

 

Mick2009's picture

Hello all,

Symantec is indeed aware of this: in response, changes have been made to ensure that a future release of the SEPM will be invulnerable. 

I will also update this thread in due course with details on how to ensure your SEP 12.1 RU2 SEPM is not vulnerable. 

In the meantime: I have not heard of any real-world exploits of a SEPM from this vulnerability.  There is no threat in the wild which exploits this, etc.

With thanks and best regards,

Mick

With thanks and best regards,

Mick

Mick2009's picture

The article with the workaround is now available:

Configuring the Apache web server to prevent denial of service attack in Symantec Endpoint Protection 12.1 RU2 and later
Article URL http://www.symantec.com/docs/TECH205208 
 

With thanks and best regards,

Mick