Symantec CCS Vulnerability Manager (VM) uses Adobe Flex / Adobe Flash to provide certain user interface elements. Recent testing activity confirmed a security issue because of which un-authenticated calls via Flex/Flash remote gateways could be performed.
Now, Symantec has implemented a global authentication check so that the risk of unauthenticated calls being performed via the Flex / Flash remote gateway can be removed. Symantec has issued a Quick Fix (QF) for previous versions (12.3.1 – 12.4.5) of CCS-VM, and also has a plan to release a new version of CCS-VM (12.4.8) to address this issue. Apply the QF to fix this issue in your CCS-VM deployment. For steps to apply this QF, refer to the Readme_CCSVM_Global Authentication Check_QF document that is included in the .zip package in the Download Files section.
It is highly recommended that all CCS-VM customers must apply the QF for older versions.
Note: This QF is applicable only to CCS-VM Console software.
Frequently Asked Questions
Q: What does this QF (i.e. the global authentication check) entail? A: CCS-VM uses Adobe Flex / Adobe Flash to provide certain user interface elements. To ensure that unauthenticated calls via the Flex / Flash remoting gateway cannot be performed, Symantec has proactively implemented a global authentication check in CCS-VM to remove this risk.
Q: What versions of CCS-VM are in scope? A: Symantec has issued a QF for previous versions (12.3.1 and 12.4.5) of CCS-VM, and also has a plan to release a new version of CCS-VM (12.4.8, due by Mid June). Customers can deploy the QF or upgrade their CCS-VM version to 12.4.8 once it is released.
Q: What is the risk of not deploying the QF? A: Successful exploitation of this vulnerability could allow for data exfiltration if this QF is not applied.
Q: Is Symantec aware of any active exploits for this vulnerability? A: No. As this issue was found internally, Symantec has received no reports of known exploitation of this vulnerability. This is a proactive measure.
Q: Is there a CVE? A: Yes. CVE-2018-10640 is has been reserved and is pending release the first week of July.
Q: I have CCS-VM 12.4.5 installed. Should I upgrade to CCS-VM 12.4.8 or use the QF? A: Symantec is expected to release 12.4.8 in the 2nd week of June. The QF that Symantec has provided, provides the same protection as upgrading to 12.4.8. For most organizations a QF is a quicker method to implement change.
Q: What are we doing to prevent this type of event in the future? A: First and most importantly, Symantec is phasing out all Flash/AMF from CCS-VM software. Until this transition has been completed, we have implemented a global authentication module to process all requests.