Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Heartbleed bug on sepm consoles

pete

peteApr 11, 2014 06:42 AM

IPS signature has been released.
Migration User

Migration UserApr 16, 2014 03:22 AM

What tools are you using to scan this?
Migration User

Migration UserApr 16, 2014 05:04 AM

I used qualysguard.

  • 1.  Heartbleed bug on sepm consoles

    Posted Apr 11, 2014 06:35 AM

    Hello Folks:

    This is with regards to the heartbleed blog which was recently discovered. Any one found this vuln in sepm console ? since this is running in 8443.



  • 2.  RE: Heartbleed bug on sepm consoles

    Posted Apr 11, 2014 06:37 AM

    See here

    Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

    Article:TECH216558  |  Created: 2014-04-09  |  Updated: 2014-04-10  |  Article URL http://www.symantec.com/docs/TECH216558

    In short:

    Which versions are impacted?
    1. Symantec Endpoint Protection clients are not impacted.
    2. No versions of Symantec Endpoint Protection 11 (SEP) are impacted. They use an earlier version of OpenSSL which is not vulnerable.
    3. SEPM 12.1 RTM to SEPM 12.1 RU1 MP1 are not impacted. They use an earlier version of OpenSSL that is not vulnerable.
    4. SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1 (inclusive) are vulnerable. They utilize OpenSSL 1.0.1.

     

    If your SEPM is not externally exposed, the risk is low.



  • 3.  RE: Heartbleed bug on sepm consoles

    Posted Apr 11, 2014 06:41 AM

    Attack: OpenSSL Heartbleed CVE-2014-0160 3

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

    see this thread and Mick2009 comments

    https://www-secure.symantec.com/connect/forums/openssl-bug



  • 4.  RE: Heartbleed bug on sepm consoles

    Broadcom Employee
    Posted Apr 11, 2014 06:42 AM

    IPS signature has been released.

     



  • 5.  RE: Heartbleed bug on sepm consoles
    Best Answer

    Broadcom Employee
    Posted Apr 11, 2014 09:49 AM

    Hi,

    Thank you for posting in Symantec community.

    SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1 (inclusive) are vulnerable. They utilize OpenSSL 1.0.1. If using one of the version then go through the following blog and document.

    Symanec offficial blog: http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers

    Public Document: Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

    http://www.symantec.com/docs/TECH216558

    Subscribe to this article to be notified of any changes to this article.

     



  • 6.  RE: Heartbleed bug on sepm consoles

    Broadcom Employee


  • 7.  RE: Heartbleed bug on sepm consoles

    Posted Apr 14, 2014 03:51 AM

    Hi All:

    I found that the sepm is vulnerable to heartbleed bug..I use sepm 12.1.3 . Any suggestions ?



  • 8.  RE: Heartbleed bug on sepm consoles

    Posted Apr 14, 2014 04:02 AM

    See Mick2009 comments

    Attack: OpenSSL Heartbleed CVE-2014-0160 3

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

    This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]

    See this thread

    https://www-secure.symantec.com/connect/forums/openssl-bug



  • 9.  RE: Heartbleed bug on sepm consoles

    Posted Apr 14, 2014 04:47 AM

    Symantec have released  SEP IPS signature released to take care of the vulnerability.
     
    If the SEP client defending the SEPM has its IPS component in place, this IPS signature will offer protection: Attack: OpenSSL Heartbleed CVE-2014-0160 3
    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517
     
    This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]
     
     
    We have public BLOG on Heartbleed which can be viewed by clicking on the link below
    http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers
     
    Below is further information regarding the OpenSSL vulnerability dubbed “Heartbleed” and how it pertains to the Symantec security products.
     
    The Symantec Endpoint Protection client is not affected.  Certain Symantec Endpoint Protection Manager (SEPM) builds are affected.  Those details can be found here:
     
    Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)
    www.symantec.com/docs/TECH216558
     
    The document will be updated as new information becomes available.  You can subscribe to the document to be notified when updates are made.  Symantec engineering is working on a version of the SEPM to address this issue. Until the new build is available, please use the mitigation steps in the article listed above.
     
    For further information about the OpenSSL vulnerability please visit the Symantec Outbreak page.
    www.symantec.com/outbreak/

     

    Regards

     



  • 10.  RE: Heartbleed bug on sepm consoles

    Posted Apr 14, 2014 06:36 AM

    Pretty simple, follow the workaround in the article I posted



  • 11.  RE: Heartbleed bug on sepm consoles
    Best Answer

    Broadcom Employee
    Posted Apr 14, 2014 09:17 AM

    Hi,

    Lates updates are as per the following:

    April 13, 2014 (15:15 PDT):
    Symantec has posted a matrix with the latest Symantec product information. We will continue to update this with new information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
    April 11, 2014 (22:35 PDT):
    Symantec has identified that some of its products may be impacted by the OpensSSL vulnerability, dubbed Heartbleed. We have begun issuing advisories to our customers to alert them and provide mitigation solutions while we work to deploy any necessary patches. To date, we have not seen any malicious exploitation of this vulnerability. We encourage our customers to check specific product support pages, and this page for information and updates as well.
    April 10, 2014 (15:15 PDT):
    Our product teams are continuing their investigations of whether any products are impacted by this vulnerability. We recommend that you check your Symantec product support pages for the latest updates from these teams. You can subscribe to any Knowledge Base (KB) documents on the product support pages to ensure you automatically receive updates with any new information.
    April 9, 2014 (21:00 PDT):
    Symantec is aware of and currently investigating the OpenSSL vulnerability, dubbed “Heartbleed”, which allows attackers to read the memory of the systems using vulnerable versions of the OpenSSL open source library. We will provide updates as they become available.
    Reference:

    http://www.symantec.com/outbreak/?id=heartbleed



  • 12.  RE: Heartbleed bug on sepm consoles

    Posted Apr 14, 2014 11:42 AM

    Be advised about another type of attack exploiting the Heartbleed Vulnerability - Reverse Heartbleed - Security Response has posted a brief blog about this already:

     

    Heartbleed Poses Risk to Clients and the Internet of Things

    https://www-secure.symantec.com/connect/blogs/heartbleed-poses-risk-clients-and-internet-things

     



  • 13.  RE: Heartbleed bug on sepm consoles

    Trusted Advisor
    Posted Apr 15, 2014 01:51 PM

    Hello,

    If the SEP client defending the SEPM has its IPS component in place, this IPS signature will offer protection:

    Attack: OpenSSL Heartbleed CVE-2014-0160 3

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

    This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]

    IPS is a crucial part of today's defenses.

    Two Reasons why IPS is a "Must Have" for your Network

    https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

    Hope this helps!



  • 14.  RE: Heartbleed bug on sepm consoles

    Posted Apr 15, 2014 02:05 PM

    Has anyone confirmed this IPS signature is actually working?  We have modified the rule from its default action of 'allow/do not log' to 'block/log' and still see nothing when we scan it and it still comes back vulnerable.
     



  • 15.  RE: Heartbleed bug on sepm consoles

    Posted Apr 16, 2014 03:22 AM

    What tools are you using to scan this?



  • 16.  RE: Heartbleed bug on sepm consoles

    Posted Apr 16, 2014 05:04 AM

    I used qualysguard.



  • 17.  RE: Heartbleed bug on sepm consoles

    Posted Apr 16, 2014 09:42 AM

    We use NCircle.  Are you still seeing this as vulnerable with the IPS signature in place?



  • 18.  RE: Heartbleed bug on sepm consoles
    Best Answer

    Posted Apr 18, 2014 12:25 AM

    Symantec Endpoint Protection 12.1.4.1a is now available

    Article:AL1555 | Created: 2014-04-17 | Updated: 2014-04-17 | Article URL http://www.symantec.com/docs/AL1555


  • 19.  RE: Heartbleed bug on sepm consoles

    Posted Apr 18, 2014 03:49 AM

    Yes, I still see the servers are affected even if the IPS signature in place.



  • 20.  RE: Heartbleed bug on sepm consoles

    Posted Apr 25, 2014 10:06 AM

    Followers of this thread may be interested in attending Symantec's webcast on Tuesday the 29th.  The following blog post has all the details and a link to the registration page

    The Heartbleed Bug: How to Protect Your Business
    https://www-secure.symantec.com/connect/blogs/heartbleed-bug-how-protect-your-business

    With thanks and best regards,

    Mick