Endpoint Protection

 View Only
Expand all | Collapse all

OpenSSL bug

Migration User

Migration UserApr 10, 2014 02:22 PM

Migration User

Migration UserApr 10, 2014 04:33 PM

  • 1.  OpenSSL bug

    Posted Apr 08, 2014 08:16 AM

    Quick heads up, a vulnerability was announced yesterday for OpenSSL and registered under CVE-2014-0160:

    https://www.openssl.org/news/secadv_20140407.txt

    A SEPM on 12.1RU4a runs OpenSSL v1.0.1e and is presumably affected.  I've not had a chance to check RU4MP1 yet.

    As with the previous SEPM vulnerabilty, this should only really affect those who allow communications with external endpoints.  If everything is internal, then your exposure will be limited.



  • 2.  RE: OpenSSL bug

    Posted Apr 08, 2014 09:01 AM

    Hopefully Symantec sends out an update here soon



  • 3.  RE: OpenSSL bug

    Posted Apr 08, 2014 04:27 PM

    We are monitoring too. Awaiting response from Symantec.



  • 4.  RE: OpenSSL bug

    Posted Apr 09, 2014 05:05 AM

    When you say allow communications with external endpoints, would this include home workers who connect via VPN (i.e SEP client can only communicate with the SEPM when the VPN is established).

    I assume, no, but wanted to double check with the community.



  • 5.  RE: OpenSSL bug

    Posted Apr 09, 2014 05:24 AM

    Thanks for the post, SMLatCST.

    Symantec is aware and currently investigating the OpenSSL vulnerability, dubbed Heartbleed.  We will share more information on this threat as it becomes available.

     

     



  • 6.  RE: OpenSSL bug

    Posted Apr 09, 2014 11:41 AM

    Wondering if this OpenSSL bug affects the Endpoint Encryption Suite of products as well? 

     



  • 7.  RE: OpenSSL bug

    Posted Apr 09, 2014 01:21 PM


  • 8.  RE: OpenSSL bug

    Posted Apr 09, 2014 03:40 PM

    It appears that SEP 12.1 RU4 MP1 is running OpenSSL 1.0.1f (SEPM\apache\bin\ssleay32.dll), which is still vulnerable.

    Is there word of an IPS detection for this (for use within Network Threat Protection IPS component of SEP)?
     



  • 9.  RE: OpenSSL bug

    Posted Apr 09, 2014 03:48 PM

    Haven't seen one yet but I've seen signatures for other products so I've got to believe one is coming



  • 10.  RE: OpenSSL bug



  • 11.  RE: OpenSSL bug

    Posted Apr 09, 2014 05:25 PM

    Another Blog entry:

    https://www-secure.symantec.com/connect/blogs/heartbleed-openssl-take-action-now



  • 12.  RE: OpenSSL bug

    Posted Apr 09, 2014 06:17 PM

    Absolutely we are anxiously monitoring for a Signature ID for IDS/IPS.



  • 13.  RE: OpenSSL bug

    Posted Apr 10, 2014 05:58 AM

    SEPM 12.1 RU4 use OpenSSL 1.0.1e

    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>
    openssl version
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    OpenSSL 1.0.1e 11 Feb 2013

    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>

    Is their a Symantec patch that we can install on the management server ?

    If we do a check with a online tool we are vulnerable.



  • 14.  RE: OpenSSL bug

    Posted Apr 10, 2014 08:05 AM

    We got a solution for SEPM RU4 with OpenSSL 1.0.1e see the following link : https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug/Heartbleed_on_Windows

     

    We got to install C++ redistributable installer for Visual Studio 2012 x86 but it work.

     

    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>
    openssl.exe version
    WARNING: can't open config file: c:/openssl-1.0.1g/ssl/openssl.cnf
    OpenSSL 1.0.1g 7 Apr 2014

    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>

     



  • 15.  RE: OpenSSL bug

    Posted Apr 10, 2014 10:30 AM

    The article I see at http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers states "This is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS nor certificates issued by Symantec" yet when I look up the propertis of the ssleay32.dll located at E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin for SEPM version 12.1.4023.4080 the product version is 1.1.1e.  Will there not be a fix provided my Symantec????



  • 16.  RE: OpenSSL bug

    Broadcom Employee
    Posted Apr 10, 2014 10:39 AM

    do not install openssl on SEPM, suggest to open a support ticket.

     



  • 17.  RE: OpenSSL bug

    Posted Apr 10, 2014 12:14 PM

    Symantec:

      On my SEP 12.1 MR4 server:

    Go to <drive path>:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin

    Type "openssl version -a"

    Received the message:
    "WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    OpenSSL 1.0.1e 11 Feb 2013
    built on: Fri Mar  8 17:18:20 2013
    platform: VC-WIN32
    "

    So, will there be a patch??



  • 18.  RE: OpenSSL bug

    Posted Apr 10, 2014 01:02 PM

    This is the response I got from opening a support ticket:

    My name is ***** from Symantec Australia and I’ll be working on your case ********. Below I have listed options to mitigate the vulnerability
    
    1. Upgrade OpenSSL to version 1.0.1g which should update to the latest fixed version of the software (1.0.1g)
    http://www.openssl.org/source/ 
    (since this is an issue with another vendor, we are not responsible on how to perform the upgrade to 1.0.1g however in steps 2 it is a workaround a workaround to protect the SEPM until a patch is released for the SEPM)
    
    2. Block off port 8445
    To temporarily mitigate the vulnerability before you upgrade the Symantec Endpoint Protection Manager console, you can block the affected port with a firewall rule. However, if you block the port, the management console loses specific functionality. You should review the implications prior to implementation.
    
    Note: The port mentioned below is the Symantec Endpoint Protection Manager default port. If you have changed the communication port, please alter the firewall rules appropriately.
    
    Steps: Add a firewall rule to block the specific port on the computer on which you installed Symantec Endpoint Protection Manager. This firewall rule should apply to all hosts and all applications.
    
    To confirm that the rule applied successfully, simply telnet to the port. If the rule is configured correctly, the firewall successfully blocks traffic and does not permit a connection on the port.
    
    Note: For instructions on creating a firewall rule using the Symantec Endpoint Protection client, please see HOWTO81156: Adding a new firewall rule. If you configure the policy from the Symantec Endpoint Protection Manager, you will need to wait for the policy to propagate to the Symantec Endpoint Protection client installed on the SEPM server prior to testing. To force the SEP client to download the modified policy immediately, right-click the SEP system-tray icon and click Update Policy.
    
    Implications: If an administrator logs in to the SEPM with port 8445 blocked, the first three reporting tabs (Home, Monitors, and Reports) will not display in the Remote Java console. Blocking port 8445 will deny access to the Remote Web Console as well. Administrators may configure firewall rules to allow access to port 8445 or 443 from explicit hosts, IP addresses, or IP address ranges to enable these features.
    
    FIPS mode: FIPS mode utilizes port 443 for client/server communications. If FIPS mode is enabled, port 443 should be restricted. Blocking port 443 will deny communication to/from all clients that are in FIPS mode. Administrators may configure firewall rules to allow access to port 443 from explicit hosts, IP addresses, or IP address ranges to enable these features.
     
    
    Symantec public article regarding the heartbleed vulnerability
    http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers
    
    

    .....  so, what was that about not installing openssl ourselves?



  • 19.  RE: OpenSSL bug

    Posted Apr 10, 2014 01:07 PM

    Can we get a plain answer, hopefully in the form of an official blog post?

    For SEPMs: Do we update OpenSSL on our own? Or will there be an actual Symantec update?



  • 20.  RE: OpenSSL bug

    Posted Apr 10, 2014 01:08 PM

    In the past, symantec always said to wait for a patch to come out to address things like this. Interesting that this was suggested.

    They do say they're not responsible though.

    Personally, I wouldn't do it. I'd use the other workarounds til an actual patch is released.



  • 21.  RE: OpenSSL bug

    Posted Apr 10, 2014 01:19 PM

    I was informed by support to block port 8445 on the firewall to the SEPMs as well



  • 22.  RE: OpenSSL bug

    Posted Apr 10, 2014 02:22 PM

    Port 8443, too, I would suspect.



  • 23.  RE: OpenSSL bug

    Posted Apr 10, 2014 03:06 PM

    Negative Phil_G to block port 8443. Suspect is wrong. Port 8443: HTTPS communication between a remote management console and the SEP Manager. All login information and administrative communication takes place using this secure port. Please peruse.http://www.symantec.com/business/support/index?page=content&id=TECH102416 and http://www.symantec.com/business/support/index?page=content&id=TECH163787. The Signature ID from an IDS/IPS is the preferred method of which Symantec should create.



  • 24.  RE: OpenSSL bug

    Posted Apr 10, 2014 04:20 PM
    Here is some information for followers of this thread: Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160) Article:TECH216558 | Created: 2014-04-09 | Updated: 2014-04-10 | Article URL http://www.symantec.com/docs/TECH216558


  • 25.  RE: OpenSSL bug

    Posted Apr 10, 2014 04:33 PM

    Thank you!



  • 26.  RE: OpenSSL bug

    Posted Apr 10, 2014 04:35 PM

    @ Mick2009 Awesome News. Thanks Symantec.



  • 27.  RE: OpenSSL bug

    Posted Apr 10, 2014 04:37 PM

    I appreciate the technical information, but I didn't care for the tone of the initial statement "Negative Phil_G to block port 8443. Suspect is wrong".



  • 28.  RE: OpenSSL bug

    Posted Apr 11, 2014 02:34 AM

    Also see this page:

    Heartbleed Vulnerability
    http://www.symantec.com/outbreak/?id=heartbleed



  • 29.  RE: OpenSSL bug

    Broadcom Employee
    Posted Apr 11, 2014 02:56 AM

    Hello Everyone,

    Subscribe to this article to be notified of any changes to this article.

    Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

    http://www.symantec.com/docs/TECH216558



  • 30.  RE: OpenSSL bug

    Posted Apr 11, 2014 04:43 AM

    Also: if the SEP client defending the SEPM has its IPS component in place, this IPS signature will offer protection:

    Attack: OpenSSL Heartbleed CVE-2014-0160 3

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

    This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]

    IPS is a crucial part of today's defenses.

    Two Reasons why IPS is a "Must Have" for your Network

    https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

     

     

    Hope this helps!

    Mick



  • 31.  RE: OpenSSL bug

    Posted Apr 11, 2014 04:59 AM

    That's great news!

    Thanks for the update Mick yes



  • 32.  RE: OpenSSL bug

    Posted Apr 11, 2014 07:08 AM

    Whoops, bit of a typo on the site regarding the IPS defs methinks.  Quick heads up in case anyone is concerned.

    The below link only shows IPS rev 20140410r1 as available:

    http://www.symantec.com/security_response/definitions.jsp

    Whereas the defs protecting us from Heartbleed are 20140410r12, according to:

    http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2014&suid=SEP_Jaguar-SU772-20140410.012

    It does appear that even though the SEPM also says 20140410r1 (under Show LiveUpdate Downloads), when the defs gets down to the client, it reports the correct revision of 20140410r12, so you should be.



  • 33.  RE: OpenSSL bug

    Posted Apr 11, 2014 09:42 AM

    Thank you Mick2009 for again the Symantec best practice approach and for reference to the necessary Signature ID (27517) for IDS/IPS http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2014&suid=SEP_Jaguar-SU772-20140410.012

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

    Again outstanding reference again to:

    Two Reasons why IPS is a "Must Have" for your Network

    https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

    BRAVO ZULU Team Symantec



  • 34.  RE: OpenSSL bug

    Posted Apr 11, 2014 05:00 PM

    Hi jjee,

    The Endpoint Encryption products are not affected by the OpenSSL vulnerability. For more information, please see the knowledgebase article at http://www.symantec.com/docs/TECH216642.

    Thanks!

    ...sue



  • 35.  RE: OpenSSL bug

    Trusted Advisor
    Posted Apr 13, 2014 03:04 PM

    Just a note to say that a Nessus scan of our SEPMs (12.1 RU2 and 12.1 RU4) indicate that they are NOT vulnerable.

    Can anyone confirm this?



  • 36.  RE: OpenSSL bug

    Posted Apr 14, 2014 03:47 AM

    Have you seen the official SEP article on this that Mick posted earlier (repeated below)?

    http://www.symantec.com/docs/TECH216558

    This confirms both 12.1RU2 and 12.1RU4 are indeed vulnerable to this exploit.  Is it possible you've got IPS enabled on those SEPMs and that the new sigs are doing their job?



  • 37.  RE: OpenSSL bug

    Trusted Advisor
    Posted Apr 14, 2014 10:16 AM

    Oh yeah, I know that Symantec says that they're vulnerable hence my confusion/question.  Embarrassingly on the AV functions of the SEP agent are installed on this server (!).

    Just wondering if anyone else with a Nessus can confirm this.

     



  • 38.  RE: OpenSSL bug

    Trusted Advisor
    Posted Apr 14, 2014 10:21 AM

    Snippet from the log:

    8443/tcp  open  ssl/http      syn-ack Apache Tomcat/Coyote JSP engine 1.1
    | ssl-heartbleed:
    |   NOT VULNERABLE:
    |   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
    |     State: NOT VULNERABLE
    |     References:
    |       http://cvedetails.com/cve/2014-0160/
    |       http://www.openssl.org/news/secadv_20140407.txt
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160



  • 39.  RE: OpenSSL bug

    Posted Apr 14, 2014 10:30 AM

    The article only mentions port 8445 (the httpd part of the SEPM) being affected.

    I'm also trying to get confirmation on if the tomcat component on port 8443 is vulnerable or not at this moment.  Your nessus seems to suggest it is not (woohoo laugh), but I'm hoping a Symantec bod can provide confirmation of this



  • 40.  RE: OpenSSL bug

    Trusted Advisor
    Posted Apr 14, 2014 10:31 AM

    Oh I see.  The Nessus scan queried 8443 but not 8445.  I'm having the admin run that scan again.

     



  • 41.  RE: OpenSSL bug

    Posted Apr 16, 2014 01:46 PM

    @ Phil_G and the "the tone of the initial statement" is what it is. Our executives recognizes this is a catastrophic vulnerability and to make such a statement even if suspect, was reckless. What if someone perusing these forums blocked access to port 8443? See again my original statement to this. I stand by my emphasis because these forums are where admins and others peruse for official and accurate information. No need to be sensitive, but at the same time, reckless statements are to be checkmated.



  • 42.  RE: OpenSSL bug

    Posted Apr 16, 2014 11:56 PM

    Symantec will received new SEPM 12.1.4 mp1 version for open ssl

     

    Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1a (RU4 MP1a) has been released for the English version of our product and additional languages will become available throughout the week.

     
    This document will be updated as the additional languages become available on Symantec FileConnect. Please see Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this new update. This new version updates the Symantec Endpoint Protection Manager to 12.1.4104.4130 to address this issue. There are no updates to the client installation packages included with this release. This Symantec Endpoint Protection Manager update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 12.1 product line.
     
    Note: In the installation media, the Versions.txt indicates that the SEP client version was updated as well. This is incorrect and the client versions included with this release are 12.1 RU4 MP1. Only the Symantec Endpoint Protection Manager version is updated to 12.1 RU4 MP1a
     


  • 43.  RE: OpenSSL bug

    Posted Apr 18, 2014 03:56 AM

    Symantec Endpoint Protection 12.1.4.1a is now available

    Article:AL1555 | Created: 2014-04-17 | Updated: 2014-04-17 | Article URL http://www.symantec.com/docs/AL1555

    Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1A (12.1 RU4 MP1a) English has been posted to FlexNet!

    https://www-secure.symantec.com/connect/blogs/symantec-endpoint-protection-121-release-update-4-maintenance-patch-1a-121-ru4-mp1a-english-ha



  • 44.  RE: OpenSSL bug

    Posted Apr 18, 2014 04:38 AM

    Hi,


    Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1a (12.1.4104.4130 - 12.1 RU4 MP1a) English has been released and is now available for customers to download on FlexNet. This new SEPM release addresses the OpenSSL “Heart Bleed” vulnerability. Additional language versions will become available throughout the week.

     Additional note that the Tech article has been updated with Directions to download the maintenance patch:
    http://www.symantec.com/business/support/index?page=content&id=TECH103088
     
    Please continue to check the product matrix and each product Tech note for up to the date information on other products.
    http://www.symantec.com/outbreak/?id=heartbleed

     

    Regards