Video Screencast Help

OpenSSL bug

Created: 08 Apr 2014 | 43 comments
SMLatCST's picture

Quick heads up, a vulnerability was announced yesterday for OpenSSL and registered under CVE-2014-0160:

https://www.openssl.org/news/secadv_20140407.txt

A SEPM on 12.1RU4a runs OpenSSL v1.0.1e and is presumably affected.  I've not had a chance to check RU4MP1 yet.

As with the previous SEPM vulnerabilty, this should only really affect those who allow communications with external endpoints.  If everything is internal, then your exposure will be limited.

Operating Systems:

Comments 43 CommentsJump to latest comment

Brɨan's picture

Hopefully Symantec sends out an update here soon

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JUSTICE's picture

We are monitoring too. Awaiting response from Symantec.

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

Ltelric's picture

When you say allow communications with external endpoints, would this include home workers who connect via VPN (i.e SEP client can only communicate with the SEPM when the VPN is established).

I assume, no, but wanted to double check with the community.

Mick2009's picture

Thanks for the post, SMLatCST.

Symantec is aware and currently investigating the OpenSSL vulnerability, dubbed Heartbleed.  We will share more information on this threat as it becomes available.

With thanks and best regards,

Mick

jjee's picture

Wondering if this OpenSSL bug affects the Endpoint Encryption Suite of products as well? 

Sue H's picture

Hi jjee,

The Endpoint Encryption products are not affected by the OpenSSL vulnerability. For more information, please see the knowledgebase article at http://www.symantec.com/docs/TECH216642.

Thanks!

...sue

JUSTICE's picture

@jjee see: Hot off the press: http://www.symantec.com/business/support/index?page=content&id=TECH216516

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

dmaltby's picture

It appears that SEP 12.1 RU4 MP1 is running OpenSSL 1.0.1f (SEPM\apache\bin\ssleay32.dll), which is still vulnerable.

Is there word of an IPS detection for this (for use within Network Threat Protection IPS component of SEP)?
 

Brɨan's picture

Haven't seen one yet but I've seen signatures for other products so I've got to believe one is coming

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JUSTICE's picture

Boo-Yah! https://www-secure.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

JUSTICE's picture

Absolutely we are anxiously monitoring for a Signature ID for IDS/IPS.

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

hans.sunnaert@fitit.be's picture

SEPM 12.1 RU4 use OpenSSL 1.0.1e

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>
openssl version
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.0.1e 11 Feb 2013

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>

Is their a Symantec patch that we can install on the management server ?

If we do a check with a online tool we are vulnerable.

hans.sunnaert@fitit.be's picture

We got a solution for SEPM RU4 with OpenSSL 1.0.1e see the following link : https://wiki.bitnami.com/security/2014-04_Heartbleed_Bug/Heartbleed_on_Windows

We got to install C++ redistributable installer for Visual Studio 2012 x86 but it work.

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>
openssl.exe version
WARNING: can't open config file: c:/openssl-1.0.1g/ssl/openssl.cnf
OpenSSL 1.0.1g 7 Apr 2014

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin>

em1234's picture

The article I see at http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers states "This is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS nor certificates issued by Symantec" yet when I look up the propertis of the ssleay32.dll located at E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin for SEPM version 12.1.4023.4080 the product version is 1.1.1e.  Will there not be a fix provided my Symantec????

pete_4u2002's picture

do not install openssl on SEPM, suggest to open a support ticket.

vickg's picture

This is the response I got from opening a support ticket:

My name is ***** from Symantec Australia and I’ll be working on your case ********. Below I have listed options to mitigate the vulnerability

1. Upgrade OpenSSL to version 1.0.1g which should update to the latest fixed version of the software (1.0.1g)
http://www.openssl.org/source/ 
(since this is an issue with another vendor, we are not responsible on how to perform the upgrade to 1.0.1g however in steps 2 it is a workaround a workaround to protect the SEPM until a patch is released for the SEPM)

2. Block off port 8445
To temporarily mitigate the vulnerability before you upgrade the Symantec Endpoint Protection Manager console, you can block the affected port with a firewall rule. However, if you block the port, the management console loses specific functionality. You should review the implications prior to implementation.

Note: The port mentioned below is the Symantec Endpoint Protection Manager default port. If you have changed the communication port, please alter the firewall rules appropriately.

Steps: Add a firewall rule to block the specific port on the computer on which you installed Symantec Endpoint Protection Manager. This firewall rule should apply to all hosts and all applications.

To confirm that the rule applied successfully, simply telnet to the port. If the rule is configured correctly, the firewall successfully blocks traffic and does not permit a connection on the port.

Note: For instructions on creating a firewall rule using the Symantec Endpoint Protection client, please see HOWTO81156: Adding a new firewall rule. If you configure the policy from the Symantec Endpoint Protection Manager, you will need to wait for the policy to propagate to the Symantec Endpoint Protection client installed on the SEPM server prior to testing. To force the SEP client to download the modified policy immediately, right-click the SEP system-tray icon and click Update Policy.

Implications: If an administrator logs in to the SEPM with port 8445 blocked, the first three reporting tabs (Home, Monitors, and Reports) will not display in the Remote Java console. Blocking port 8445 will deny access to the Remote Web Console as well. Administrators may configure firewall rules to allow access to port 8445 or 443 from explicit hosts, IP addresses, or IP address ranges to enable these features.

FIPS mode: FIPS mode utilizes port 443 for client/server communications. If FIPS mode is enabled, port 443 should be restricted. Blocking port 443 will deny communication to/from all clients that are in FIPS mode. Administrators may configure firewall rules to allow access to port 443 from explicit hosts, IP addresses, or IP address ranges to enable these features.
 

Symantec public article regarding the heartbleed vulnerability
http://www.symantec.com/connect/blogs/heartbleed-b...

.....  so, what was that about not installing openssl ourselves?

Brɨan's picture

In the past, symantec always said to wait for a patch to come out to address things like this. Interesting that this was suggested.

They do say they're not responsible though.

Personally, I wouldn't do it. I'd use the other workarounds til an actual patch is released.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Phil_G's picture

Symantec:

  On my SEP 12.1 MR4 server:

Go to <drive path>:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin

Type "openssl version -a"

Received the message:
"WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.0.1e 11 Feb 2013
built on: Fri Mar  8 17:18:20 2013
platform: VC-WIN32
"

So, will there be a patch??

Niners77's picture

Can we get a plain answer, hopefully in the form of an official blog post?

For SEPMs: Do we update OpenSSL on our own? Or will there be an actual Symantec update?

em1234's picture

I was informed by support to block port 8445 on the firewall to the SEPMs as well

Phil_G's picture

Port 8443, too, I would suspect.

JUSTICE's picture

Negative Phil_G to block port 8443. Suspect is wrong. Port 8443: HTTPS communication between a remote management console and the SEP Manager. All login information and administrative communication takes place using this secure port. Please peruse.http://www.symantec.com/business/support/index?page=content&id=TECH102416 and http://www.symantec.com/business/support/index?page=content&id=TECH163787. The Signature ID from an IDS/IPS is the preferred method of which Symantec should create.

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

Phil_G's picture

I appreciate the technical information, but I didn't care for the tone of the initial statement "Negative Phil_G to block port 8443. Suspect is wrong".

Mick2009's picture

Here is some information for followers of this thread:

Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)
Article:TECH216558 | Created: 2014-04-09 | Updated: 2014-04-10 | Article URL http://www.symantec.com/docs/TECH216558

With thanks and best regards,

Mick

JUSTICE's picture

@ Mick2009 Awesome News. Thanks Symantec.

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

Mick2009's picture

Also see this page:

Heartbleed Vulnerability
http://www.symantec.com/outbreak/?id=heartbleed

With thanks and best regards,

Mick

Chetan Savade's picture

Hello Everyone,

Subscribe to this article to be notified of any changes to this article.

Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

http://www.symantec.com/docs/TECH216558

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mick2009's picture

Also: if the SEP client defending the SEPM has its IPS component in place, this IPS signature will offer protection:

Attack: OpenSSL Heartbleed CVE-2014-0160 3

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

This signature was added in Security Update: 772 [Extended version: April 10, 2014 Rev: 012]

IPS is a crucial part of today's defenses.

Two Reasons why IPS is a "Must Have" for your Network

https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

Hope this helps!

Mick

With thanks and best regards,

Mick

SMLatCST's picture

That's great news!

Thanks for the update Mick yes

SMLatCST's picture

Whoops, bit of a typo on the site regarding the IPS defs methinks.  Quick heads up in case anyone is concerned.

The below link only shows IPS rev 20140410r1 as available:

http://www.symantec.com/security_response/definiti...

Whereas the defs protecting us from Heartbleed are 20140410r12, according to:

http://www.symantec.com/security_response/security...

It does appear that even though the SEPM also says 20140410r1 (under Show LiveUpdate Downloads), when the defs gets down to the client, it reports the correct revision of 20140410r12, so you should be.

JUSTICE's picture

Thank you Mick2009 for again the Symantec best practice approach and for reference to the necessary Signature ID (27517) for IDS/IPS http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2014&suid=SEP_Jaguar-SU772-20140410.012

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27517

Again outstanding reference again to:

Two Reasons why IPS is a "Must Have" for your Network

https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

BRAVO ZULU Team Symantec

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

HighTower's picture

Just a note to say that a Nessus scan of our SEPMs (12.1 RU2 and 12.1 RU4) indicate that they are NOT vulnerable.

Can anyone confirm this?

SMLatCST's picture

Have you seen the official SEP article on this that Mick posted earlier (repeated below)?

http://www.symantec.com/docs/TECH216558

This confirms both 12.1RU2 and 12.1RU4 are indeed vulnerable to this exploit.  Is it possible you've got IPS enabled on those SEPMs and that the new sigs are doing their job?

HighTower's picture

Oh yeah, I know that Symantec says that they're vulnerable hence my confusion/question.  Embarrassingly on the AV functions of the SEP agent are installed on this server (!).

Just wondering if anyone else with a Nessus can confirm this.

HighTower's picture

Snippet from the log:

8443/tcp  open  ssl/http      syn-ack Apache Tomcat/Coyote JSP engine 1.1
| ssl-heartbleed:
|   NOT VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: NOT VULNERABLE
|     References:
|       http://cvedetails.com/cve/2014-0160/
|       http://www.openssl.org/news/secadv_20140407.txt
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE...

SMLatCST's picture

The article only mentions port 8445 (the httpd part of the SEPM) being affected.

I'm also trying to get confirmation on if the tomcat component on port 8443 is vulnerable or not at this moment.  Your nessus seems to suggest it is not (woohoo laugh), but I'm hoping a Symantec bod can provide confirmation of this

HighTower's picture

Oh I see.  The Nessus scan queried 8443 but not 8445.  I'm having the admin run that scan again.

JUSTICE's picture

@ Phil_G and the "the tone of the initial statement" is what it is. Our executives recognizes this is a catastrophic vulnerability and to make such a statement even if suspect, was reckless. What if someone perusing these forums blocked access to port 8443? See again my original statement to this. I stand by my emphasis because these forums are where admins and others peruse for official and accurate information. No need to be sensitive, but at the same time, reckless statements are to be checkmated.

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

James007's picture

Symantec will received new SEPM 12.1.4 mp1 version for open ssl

Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1a (RU4 MP1a) has been released for the English version of our product and additional languages will become available throughout the week.

 
This document will be updated as the additional languages become available on Symantec FileConnect. Please see Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this new update. This new version updates the Symantec Endpoint Protection Manager to 12.1.4104.4130 to address this issue. There are no updates to the client installation packages included with this release. This Symantec Endpoint Protection Manager update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 12.1 product line.
 
Note: In the installation media, the Versions.txt indicates that the SEP client version was updated as well. This is incorrect and the client versions included with this release are 12.1 RU4 MP1. Only the Symantec Endpoint Protection Manager version is updated to 12.1 RU4 MP1a
 
James007's picture

Symantec Endpoint Protection 12.1.4.1a is now available

Article:AL1555 | Created: 2014-04-17 | Updated: 2014-04-17 | Article URL http://www.symantec.com/docs/AL1555

Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1A (12.1 RU4 MP1a) English has been posted to FlexNet!

https://www-secure.symantec.com/connect/blogs/symantec-endpoint-protection-121-release-update-4-maintenance-patch-1a-121-ru4-mp1a-english-ha

SameerU's picture

Hi,

Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1a (12.1.4104.4130 - 12.1 RU4 MP1a) English has been released and is now available for customers to download on FlexNet. This new SEPM release addresses the OpenSSL “Heart Bleed” vulnerability. Additional language versions will become available throughout the week.

 Additional note that the Tech article has been updated with Directions to download the maintenance patch:
http://www.symantec.com/business/support/index?pag...
 
Please continue to check the product matrix and each product Tech note for up to the date information on other products.
http://www.symantec.com/outbreak/?id=heartbleed

Regards