Information Disclosure Vulnerability in MC
SUMMARY
The Symantec Management Center REST API is susceptible to an information disclosure vulnerability. A malicious authenticated user can obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access.
AFFECTED PRODUCTS
| Management Center (MC) | ||
|---|---|---|
| CVE | Supported Version(s) | Remediation |
| CVE-2019-9697 | 2.0, 2.1 | Upgrade to later release with fixes. |
| 2.2 | Upgrade to 2.2.2.1. | |
| 2.3 | Not vulnerable, fixed | |
ISSUES
| CVE-2019-9697 | |
|---|---|
| Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 109828 / NVD: CVE-2019-9697 |
| Impact | Information disclosure |
| Description | An information disclosure vulnerability in the MC REST API allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access. |
MITIGATION
This vulnerability has security impact only when MC is configured with multiple users. The first authenticated administrator can configure the external server passwords on MC. The second, malicious, administrator or view-only user might not be authorized to access the external servers, but can obtain the passwords through the MC REST API.
ACKNOWLEDGEMENTS
- CVE-2019-9697: Gopinath Rajendiren, Cyber Threat Intelligence Specialist @ Emirates NBD Bank PJSC (https://www.linkedin.com/in/gopinathrajendiren)
REVISION
2019-08-27 initial public release