Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

Article:TECH216558  |  Created: 2014-04-09  |  Updated: 2014-04-23  |  Article URL http://www.symantec.com/docs/TECH216558
Article Type
Technical Solution


Issue



A security bug affecting OpenSSL was announced this week (07-Apr-2014). OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable.


Solution



Symantec Endpoint Protection Manager (SEPM) utilizes OpenSSL. As a result, some versions of SEPM are affected.

 
Which versions are impacted?
  1. Symantec Endpoint Protection clients are not impacted.
  2. No versions of Symantec Endpoint Protection 11 (SEP) are impacted by this issue.
  3. SEPM 12.1 RTM to SEPM 12.1 RU1 MP1 are not impacted. They use an earlier version of OpenSSL that is not vulnerable.
  4. SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1 (inclusive) are vulnerable. They utilize OpenSSL 1.0.1.
 
 
Will Symantec be releasing a version of SEP to address this issue?
 
Yes, Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1a (RU4 MP1a) and Symantec Network Access Control 12.1. RU4 MP1a (including Starter Edition) are available in all supported languages on Symantec FileConnect. Please see Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this release. This version updates the Symantec Endpoint Protection Manager to 12.1.4104.4130 to address this issue. There are no updates to the client installation packages included with this release. This Symantec Endpoint Protection Manager update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 12.1 product line.
 
Note: In the installation media, the Versions.txt indicates that the SEP client version was updated as well. This is incorrect and the client versions included with this release are 12.1 RU4 MP1. Only the Symantec Endpoint Protection Manager version is updated to 12.1 RU4 MP1a.
 
What mitigation options are available for customers that are using SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1?
Customers using an affected version should block general access to port 8445 on their SEPM to mitigate this vulnerability until they have migrated their SEPMs to version 12.1 RU4 MP1a (12.1.4104.4130).
 
To temporarily mitigate the vulnerability before you upgrade the Symantec Endpoint Protection Manager console, you can block the affected port with a firewall rule. However, if you block the port, the management console loses specific functionality. You should review the implications prior to implementation.
 
Note: The port mentioned below is the Symantec Endpoint Protection Manager default reporting port. If you have changed the reporting port, please alter the firewall rules appropriately.
 
High Level Steps: Add a firewall rule to block the specific port on the computer on which you installed Symantec Endpoint Protection Manager. This firewall rule should apply to all hosts and all applications.
 
To confirm that the rule applied successfully, simply telnet to the port. If the rule is configured correctly, the firewall successfully blocks traffic and does not permit a connection on the port.
 
Implications: If an administrator logs in to the SEPM with port 8445 blocked, the first three reporting tabs (Home, Monitors, and Reports) will not display in the Remote Java console. Blocking port 8445 will deny access to the Remote Reporting Console as well. Administrators may configure firewall rules to allow access to port 8445 or 443 from explicit hosts, IP addresses, or IP address ranges to enable these features.
 
Secure client/server communications: If FIPS mode is enabled, or if SEP has been configured to use secure client/server communication, port 443 is used for client/server communications. In these cases, port 443 should be restricted. Blocking port 443 denies communication to and from all clients that are using secure communication. Administrators can configure firewall rules to allow access to port 443 from explicit hosts, IP addresses, or IP address ranges to enable these features.
 
 
I am concerned that my Symantec Endpoint Protection Manager certificate may have been compromised and want to replace my manager's certificates. What is the best way to do this?
 
 
How do I create a Symantec Endpoint Protection firewall rule to block communication from all machines on the network to port 8445?
The following steps explain how to create a firewall rule for Symantec Endpoint Protection clients to block all inbound communication to TCP port 8445. If this rule is applied to the Symantec Endpoint Protection client on SEPM server(s), it will prevent all computers in the network from communicating with port 8445 on the Symantec Endpoint Protection Manager.
  1. Login to the SEPM
  2. Click Policies
  3. Click Firewall
  4. Right-click your existing firewall policy
  5. Click Edit
  6. Click Rules
  7. Click Add Blank Rule. If the rule is not created at the top of the firewall rule list, select the new rule and use the Move Up button to move the rule to the top of the list.
  8. Rename the rule to: Block 8445 Communication
  9. Set the rule's action to: Block
  10. Set Application to: Any
  11. Set Host to: Any
  12. Right-click Service and click Edit
  13. Click Add
  14. Set Protocol to: TCP
  15. Put a dot in the radial button: Local/Remote
  16. In Local Port, enter: 8445  (Note: This is the default port. If you have configured your SEPM to use a different port for reporting, substitute that port here.)
  17. Leave Remote Port blank.
  18. Set Direction to: Incoming
  19. Click OK
  20. Right-click Log and click Write to Traffic Log
  21. Click OK
  22. Right-click the firewall policy and click Assign. Assign it to the group(s) which contain your SEPM(s) servers.

Once you configure the policy from within the Symantec Endpoint Protection Manager, you will need to wait for the policy to propagate to the Symantec Endpoint Protection client installed on the SEPM server(s) prior to testing. To force the SEP client to download the modified policy immediately, right-click the SEP system-tray icon and click Update Policy.

To confirm that the rule applied successfully, simply telnet to port 8445. (Note: This is the default port. If you have configured your SEPM to use a different port for reporting, substitute that port here.). If the rule is configured correctly, the firewall successfully blocks traffic and does not permit a connection to the port. You may then examine the Traffic log of the SEP client on the SEPM server to confirm that SEP blocked the connection. See steps below.

 

How do I confirm that SEP blocked communication to the reporting port using the Firewall rule I created (above)?

  1. In the system tray, double-click the Symantec Endpoint Protection (SEP) to open the SEP client
  2. Click View Logs
  3. Click View Logs next to Network Threat Protection
  4. Click Traffic Log
  5. Confirm you see the blocked attempt to connect to port 8445. (Note: This is the default port. If you have configured your SEPM to use a different port for reporting, substitute that port here.)

 




Article URL http://www.symantec.com/docs/TECH216558


Terms of use for this information are found in Legal Notices