Information Disclosure Vulnerability in MC

SUMMARY

The Symantec Management Center REST API is susceptible to an information disclosure vulnerability. A malicious authenticated user can obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.

AFFECTED PRODUCTS

Management Center (MC)

CVE |Supported Version(s)|Remediation
CVE-2019-9697 | 2.0, 2.1 | Upgrade to later release with fixes.
2.2 | Upgrade to 2.2.2.1.
2.3 | Not vulnerable, fixed

ISSUES

CVE-2019-9697

Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 109828 / NVD: CVE-2019-9697 Impact| Information disclosure Description | An information disclosure vulnerability in the MC REST API allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.

MITIGATION

This vulnerability has security impact only when MC is configured with multiple users. The first authenticated administrator can configure the external server passwords on MC. The second, malicious, administrator or view-only user might not be authorized to access the external servers, but can obtain the passwords through the MC REST API.

ACKNOWLEDGEMENTS

• CVE-2019-9697: Gopinath Rajendiren, Cyber Threat Intelligence Specialist @ Emirates NBD Bank PJSC (https://www.linkedin.com/in/gopinathrajendiren)

REVISION

2019-08-27 initial public release