Video Screencast Help

Traffic between SEPM server and Client is found Vulnerable

Created: 08 Mar 2013 | 5 comments

Hi All

Good day..

We are using Sep 12.1 RU1 MP1 on a windows Architecture, operating globally recent we have done a VA analysis on our site and we found that traffic from Client to SEPM console Vulnerable

Attaching the Report.

HTTP TRACE/TRACK Methods Allowed

Summary

The remote web server was identified having enabled HTTP debugging function TRACE. The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Severity                  

 

           Medium

Complexity

Moderate

From

Remote

Impact

Possible Information Disclosure

Affected IP/URL(s)                      

  • X.X.X.X (80) à MSL IP of DC site
  • Y.Y.Y.Y (80)à MSL IP of DC site
         

 

We have   two Public IP that SEP clients communicating when they are out of office network over port 80 which is a http traffic. This is natted to the internal IP of SEPM.

On general settings under security Tab we have checked "Enable secure communication between the management server and clients by using digital certificates for authentication

And we found the following on KB http://www.symantec.com/business/support/index?pag...

Data transmitted between Symantec Endpoint Protection Manager and Clients are always obfuscated using an encryption password (a.k.a. KCS key), thereby preventing malicious users from seeing the data content easily. We use the Twofish tool to encrypt the data. The Client uses the same encryption password to decrypt the data. For example, the profile.xml is zipped and then encrypted into the profile.dax file

 Could anyone suggest what can the remedy?

Regards

Ajin

Operating Systems:

Comments 5 CommentsJump to latest comment

Rafeeq's picture

HI

 

Go to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf folder

- Open httpd.conf in notepad and add "TraceEnable off" in the file and save the file.

- It will turn off the Trace.

- Restart the Apache web server and SEPM services from services.msc

 

Edit some how not able to get that document. 

The cached version is here

 

http://webcache.googleusercontent.com/search?q=cac...

AjinBabu's picture

Hi Rafeeq,

Thanks for your inputs.

Is there any impact after changing this on a production.

Regards

Ajin

Mithun Sanghavi's picture

Hello,

What Vulnerability Tool are you using?? Is that Nessus Vulnerability Scanner?

Create a Case with Symantec Technical Support and upload us the Report to the Case.

Once done, please PM me the Case #

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.