Endpoint Protection

Hello

My customer has McAfee Vulnerability Manager (formerly Foundstone) and they discovered two (2) HTTP denial-of-service vulnerabilities in their SEPM 12.1 RU1 MP1 related to the Apache Tomcat server on which SEPM is built. One of those vulnerabilities is CVE-2009-5111 (I can provide the other as soon as I have it).

Has anyone ever run into a similar scenario? Unfortunately, the release notes for SEP 12.1.2 (or even prior versions) doesn't mention having those vulnerabilities remediated. What should I do? Would contacting Tech Support yield any help?

Thanks.

- Moh

I believe there was a previous thread a few days ago with this.

You would need to call support to find out if you can upgrade only the DB or go to RU2

Symantec is likely aware and has the fix or workaround

Check this link as it provides all security advisories for Symantec. Perhaps you can find what you need here:

https://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory

CVE-2009-5111 seems to be related to GoAhead Webserver, not sure this applies to SEPM

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5111

Hello,

CVE-2009-5111 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5111

This is in reference to GoAhead WebServer allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

When you Run the same application on SEP 12.1 RU2 does it show anything in reference to CVE-2009-5111?

I would rather go for a Nessus vulnerability scan.

In case of any doubts, please Create a Case with Symantec Technical Support.

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

• United States: https://support.broadcom.com (407-357-7600 from outside the United States)
• Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
• United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

So.. there's something to it, huh? I will call Support to find out what to do, or at least what to report back to the customer. Thanks for the reply and advice.

In the mean time, here's the vuln. description to check out. Needless to say, I cannot follow their recommendation, otherwise I might render SEPM malfunctioning. 

- Moh

Vulnerability CVE-2009-5111 - GoAhead WebServer allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

It doesn't list any Symantec products affected.

http://cvedetails.com/cve-details.php?t=1&cve_id=CVE-2009-5111

Thanks for the replies, Mithun & Sebastian, but does it mean this might be a false positive, or McAfee's scanner is not playing nicely?

Honestly I didn't have the chance to look that up myself until after your posts...

- Moh

Is this the same CVE from your first post?

If so, SEPM should not be affected, at least per the notes

It would appear it didn't identify between Apache and Goahead, just assumed it was Apache. Than makes the reference to an "HTTP" server as if to mean "All HTTP servers". Seems confusing to me.

Hello,

It seems you are have been either mis-communicated /guided.

I would suggest you to Migrate to the Latest version of SEP 12.1 RU2 as well as Run the Nessus Vulnerability Scanner.

http://www.tenable.com/products/nessus

Hope that helps!!

Guys, does this mean that McAfee has something wrong (or possibly dirty) in their vulnerability database? In their CVE description they clearly mention it is related to Apache (among other web servers). I'm getting really confused.

BTW, the other vulnerability detected on SEPM is CVE-2007-6750

Thanks

- Moh

Basically, it appears to identify it but gives the wrong product name. Overall, Apache probably needs to be patched but only Symantec can tell you if you can upgrade Apache only.

If you can, I would upgrade to 12.1 RU2 as I know if had a few fixes for these bugs related to Apache

The same vulnerability detect on our SEPM 12 server.

We use the Same Vulnerability Scanner MacAfee  Foundstone Ver 7.5

Symantec Confirm the Vulnerability and they are looking for work around from last 20 days.

Case: 04025791

we are using SEPM Version 12.1.2015.2015

Hello all,

Symantec is indeed aware of this: in response, changes have been made to ensure that a future release of the SEPM will be invulnerable. 

I will also update this thread in due course with details on how to ensure your SEP 12.1 RU2 SEPM is not vulnerable. 

In the meantime: I have not heard of any real-world exploits of a SEPM from this vulnerability.  There is no threat in the wild which exploits this, etc.

With thanks and best regards,

Mick

The article with the workaround is now available:

Configuring the Apache web server to prevent denial of service attack in Symantec Endpoint Protection 12.1 RU2 and later
Article URL http://www.symantec.com/docs/TECH205208