Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities

2014-02-24T00:00:00
ID SAINT:8A1968C5B206C48FDB6B05B53C345495
Type saint
Reporter SAINT Corporation
Modified 2014-02-24T00:00:00

Description

Added: 02/24/2014
CVE: CVE-2013-5014
BID: 65466
OSVDB: 103306

Background

Symantec Endpoint Protection, by Symantec Corporation, is an antivirus and personal firewall product designed to be centrally managed in corporate environments by the Symantec Endpoint Protection Manager (SEPM). The SEPM management console listens on TCP port 9090.

Problem

The management console for Symantec Endpoint Protection Manager is vulnerable to External XML Entity (XXE) injection (CVE-2013-5014) due to improper sanitization of external XML data. This vulnerability could potentially allow unauthorized access to restricted server-side data and console management functionality. Symantec Endpoint Protection Manager's management console is also vulnerable to SQL injection (CVE-2013-5015) due to insufficient sanitization of local queries made against the backend database. The XXE injection vulnerability can be leveraged to exploit the local access SQL injection vulnerability.

Resolution

Apply the updates as described in Symantec Security Advisory SYM14-004.

References

<http://www.zdnet.com/attackers-scanning-for-symantec-endpoint-protection-manager-flaw-7000026418/>
<http://secunia.com/advisories/cve_reference/CVE-2013-5014/>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5015>
<http://secunia.com/advisories/cve_reference/CVE-2013-5015/>
<http://osvdb.org/show/osvdb/103306>

Limitations

This exploit was tested against the default Symantec Endpoint Protection Manager installation using embedded database on Windows Server 2003.

Platforms

Windows