Don‘t be a Victim of Symantec's Reporting Server Login Spoofing Vulnerabilities!

The cyber world has been hit by malicious people again! It's evident that they are not about to stop using attacks that cause much damage to computer systems. Recently, multiple vulnerabilities were discovered in various Symantec products.

Through the exploitation of these vulnerabilities, remote attackers could spoof the login screen of the Reporting Server, due to an error in URL handling. If a victim is persuaded to visit a specially-crafted Web page, a remote attacker could exploit these vulnerabilities to spoof the display message dialog and in some way conduct phishing attacks.

If you don't know what the Symantec Reporting Server is, I'm here to tell you. It is an optional component of Symantec AntiVirus Corporate Edition (SAV), Symantec Client Security (SCS) and Symantec Endpoint Protection Manager (SEPM) that can be used to make reports about Symantec antivirus products on an enterprise network. Symantec confirmed that these vulnerabilities can be found in the versions of the Reporting Servers listed below:

• Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier 10.2 MR1 and earlier;
• Symantec Client Security 3.1 MR7 and earlier;
• Symantec Endpoint Protection 11.0 MR1 and earlier.

This security issue is the result of an input validation error in the Reporting Server login screen while handling URLs. It enables attackers to display arbitrary messages, of their choice, on the Reporting Server login screen. The attacker does not obtain additional access to the Reporting Server program unless a reliable user is convinced, by the message, to forward their login credentials to the attacker.

The multiple vulnerabilities reviewed in this article have been rated as low risk. Regardless of the fact that these vulnerabilities weren‘t rated as high, a solution to this security problem was found! Updates have been issued to address these vulnerabilities. We recommend users update their installations to the following latest versions:

• Symantec AntiVirus Corporate Edition:Update to 10.1 MR8 or 10.2 MR2 or later;
• Symantec Client Security:Update to 3.1 MR8 or later;
• Symantec Endpoint Protection:Update to 11.0 MR2 or later.

Also, we recommend customers to update the Reporting Server in order to prevent further attempts to exploit these vulnerabilities.

To mitigate your risk, users may also take the actions introduced below:

• Uninstall Reporting Server if it is not being used in SAV or SCS;
• Access to the Report Server interface should be restricted to reliable users only;
• User accounts for the Reporting Server shouldn't be similar to the user's network login account;
• Always type the address of your Reporting Server login screen into your web browser manually. Do not follow a link to the login screen;
• Keep your login credentials safe. Never send your ID and password to a third party.