Video Screencast Help

Heartbleed bug on sepm consoles

Created: 11 Apr 2014 • Updated: 18 Apr 2014 | 19 comments
This issue has been solved. See solution.

Hello Folks:

This is with regards to the heartbleed blog which was recently discovered. Any one found this vuln in sepm console ? since this is running in 8443.

Operating Systems:

Comments 19 CommentsJump to latest comment

.Brian's picture

See here

Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

Article:TECH216558  |  Created: 2014-04-09  |  Updated: 2014-04-10  |  Article URL http://www.symantec.com/docs/TECH216558

In short:

Which versions are impacted?
  1. Symantec Endpoint Protection clients are not impacted.
  2. No versions of Symantec Endpoint Protection 11 (SEP) are impacted. They use an earlier version of OpenSSL which is not vulnerable.
  3. SEPM 12.1 RTM to SEPM 12.1 RU1 MP1 are not impacted. They use an earlier version of OpenSSL that is not vulnerable.
  4. SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1 (inclusive) are vulnerable. They utilize OpenSSL 1.0.1.

 

If your SEPM is not externally exposed, the risk is low.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1 (inclusive) are vulnerable. They utilize OpenSSL 1.0.1. If using one of the version then go through the following blog and document.

Symanec offficial blog: http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers

Public Document: Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

http://www.symantec.com/docs/TECH216558

Subscribe to this article to be notified of any changes to this article.

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Signature ID (27517) for IDS/IPS http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2014&suid=SEP_Jaguar-SU772-20140410.012

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

Reference: https://www-secure.symantec.com/connect/blogs/heartbleed-openssl-take-action-now

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

56bit's picture

Hi All:

I found that the sepm is vulnerable to heartbleed bug..I use sepm 12.1.3 . Any suggestions ?

.Brian's picture

Pretty simple, follow the workaround in the article I posted

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

James007's picture

See Mick2009 comments

Attack: OpenSSL Heartbleed CVE-2014-0160 3

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]

See this thread

https://www-secure.symantec.com/connect/forums/openssl-bug

SameerU's picture

Symantec have released  SEP IPS signature released to take care of the vulnerability.
 
If the SEP client defending the SEPM has its IPS component in place, this IPS signature will offer protection: Attack: OpenSSL Heartbleed CVE-2014-0160 3
http://www.symantec.com/security_response/attacksi...
 
This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]
 
 
We have public BLOG on Heartbleed which can be viewed by clicking on the link below
http://www.symantec.com/connect/blogs/heartbleed-b...
 
Below is further information regarding the OpenSSL vulnerability dubbed “Heartbleed” and how it pertains to the Symantec security products.
 
The Symantec Endpoint Protection client is not affected.  Certain Symantec Endpoint Protection Manager (SEPM) builds are affected.  Those details can be found here:
 
Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)
www.symantec.com/docs/TECH216558
 
The document will be updated as new information becomes available.  You can subscribe to the document to be notified when updates are made.  Symantec engineering is working on a version of the SEPM to address this issue. Until the new build is available, please use the mitigation steps in the article listed above.
 
For further information about the OpenSSL vulnerability please visit the Symantec Outbreak page.
www.symantec.com/outbreak/

 

Regards

 

Chetan Savade's picture

Hi,

Lates updates are as per the following:

April 13, 2014 (15:15 PDT):
Symantec has posted a matrix with the latest Symantec product information. We will continue to update this with new information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
April 11, 2014 (22:35 PDT):
Symantec has identified that some of its products may be impacted by the OpensSSL vulnerability, dubbed Heartbleed. We have begun issuing advisories to our customers to alert them and provide mitigation solutions while we work to deploy any necessary patches. To date, we have not seen any malicious exploitation of this vulnerability. We encourage our customers to check specific product support pages, and this page for information and updates as well.
April 10, 2014 (15:15 PDT):
Our product teams are continuing their investigations of whether any products are impacted by this vulnerability. We recommend that you check your Symantec product support pages for the latest updates from these teams. You can subscribe to any Knowledge Base (KB) documents on the product support pages to ensure you automatically receive updates with any new information.
April 9, 2014 (21:00 PDT):
Symantec is aware of and currently investigating the OpenSSL vulnerability, dubbed “Heartbleed”, which allows attackers to read the memory of the systems using vulnerable versions of the OpenSSL open source library. We will provide updates as they become available.
Reference:

http://www.symantec.com/outbreak/?id=heartbleed

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SebastianZ's picture

Be advised about another type of attack exploiting the Heartbleed Vulnerability - Reverse Heartbleed - Security Response has posted a brief blog about this already:

 

Heartbleed Poses Risk to Clients and the Internet of Things

https://www-secure.symantec.com/connect/blogs/hear...

 

Mithun Sanghavi's picture

Hello,

If the SEP client defending the SEPM has its IPS component in place, this IPS signature will offer protection:

Attack: OpenSSL Heartbleed CVE-2014-0160 3

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]

IPS is a crucial part of today's defenses.

Two Reasons why IPS is a "Must Have" for your Network

https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

Hope this helps!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

andymease's picture

Has anyone confirmed this IPS signature is actually working?  We have modified the rule from its default action of 'allow/do not log' to 'block/log' and still see nothing when we scan it and it still comes back vulnerable.
 

SebastianZ's picture

What tools are you using to scan this?

andymease's picture

We use NCircle.  Are you still seeing this as vulnerable with the IPS signature in place?

56bit's picture

Yes, I still see the servers are affected even if the IPS signature in place.

James007's picture

Symantec Endpoint Protection 12.1.4.1a is now available

Article:AL1555 | Created: 2014-04-17 | Updated: 2014-04-17 | Article URL http://www.symantec.com/docs/AL1555
SOLUTION
Mick2009's picture

Followers of this thread may be interested in attending Symantec's webcast on Tuesday the 29th.  The following blog post has all the details and a link to the registration page

The Heartbleed Bug: How to Protect Your Business
https://www-secure.symantec.com/connect/blogs/heartbleed-bug-how-protect-your-business

With thanks and best regards,

Mick

 

With thanks and best regards,

Mick