Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SYM12-017 - Symantec Legacy Decomposer CAB File Issues – 10/07/2012

Created: 08 Nov 2012 | 35 comments

Hi,

I just got the email advising of the CAB file issue.  How serious is this and what can be done?  Upgrading to SEP12.1 is not an option at present.

 

Thanks

Comments 35 CommentsJump to latest comment

Mick2009's picture

Hi Por997,

Here's the full advisory:

Security Advisories Relating to Symantec Products - Symantec Legacy Decomposer CAB File Issues
SYM12-017

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121107_00

 

Anyone running SEP 12.1 has nothing to worry about.  Symantec recommends all customers migrate to the latest version of affected products to address threats of this nature.

Also: Symantec is not aware of any customers affected by this issue or any malicious attempts to exploit this issue.  There's currently no malware in the wild which exploits the vulnerability.

 

Cutting and pasting, for convenience:

Mitigations

Disable CAB file scanning

As a workaround, users may disable CAB file scanning until a more permanent fix is available or user has moved to the current SEP 12.1 release.

                Note:  This will only disable the decomposer engine from scanning inside a compressed CAB file during a manual scan.  Once the CAB file is extracted, AutoProtect or a manual scan would detect the files and remediate any threats detected.

To disable CAB scanning:

1.In Windows Explorer, open the Symantec Endpoint Protection installation folder. The location of this folder varies by product and operating system
2.Make a backup copy of the file Dec3.cfg, e.g., Dec3_backup.cfg
3.In an ASCII text editor such as Notepad, open the file Dec3.cfg
4.The fifth line of the file contains a number that corresponds to the number of .dll files listed below it. Verify that this is the case
5.Reduce the number in the fifth line by 1
6.Find the following line:
          Dec2CAB.dll
7.Remove the Dec2CAB.dll line and the line that immediately follows.
8.Close and save the Dec3.cfg file
9.Restart the Symantec Endpoint Protection service
 

Best Practices
As part of normal best practices, Symantec strongly recommends:

• Restrict access to administration or management systems to privileged users.
• Restrict remote access, if required, to trusted/authorized systems only.
• Run under the principle of least privilege where possible to limit the impact of exploit by threats.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

 

Hope this helps!

With thanks and best regards,

Mick

 

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

A BIG Thumbs up for the above Comment.

Here is another Thread with similar Issue: 

https://www-secure.symantec.com/connect/forums/sep-11-critical-vulnerability-cve-2012-4953

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mathew Ellison's picture

Can someone explain:

NOTE: Only the currently supported products still on the older decomposer engine in this table are impacted by this issue. NONE of our other currently supported products are affected.

Does this mean we could have SEP11 but with the current decomposer engine?

We have SEP11 RU6 deployed with a Decomposer agent version 1.2.5.130, is this a "older decompser engine"?

 

Mithun Sanghavi's picture

 

Hello,

The official Symantec Security Advisory for the SEP Decomposer CAB File Issue (CERT VU#985625) has been updated and is now live at the link below.

http://www.symantec.com/security_response/security...

Highlights of the changes in this update:

  • Clarification details on scripting the “Disable CAB file scanning” mitigation option
  • Additional mitigation option of “Disabling archive file scanning” via Antivirus policy from the SEP Manager with instructions
  • Addition of links to important KB articles

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

grumbleweed's picture

Hi

My SEP11 estate is also not likely to be upgraded to SEP 12.1 anytime soon, so I need to understand the options.  Two questions:

1. Can I disable scanning of .cab files on all my clients by simply adding an exclusion for *.cab in the appropriate policy on the SEPM?

2. With that exclusion in place, presumably the files inside a .cab file get scanned by autoprotect when they are written to disk, thereby mitigating some of the risk?

One more thing - on this article -

http://www.securitytracker.com/id/1027726

there is a statement that says "The vendor was notified on April 8, 2011"

Taken at face value that suggests Symantec have been aware of this issue for over a year.  Is that correct?

Mick2009's picture

1. Can I disable scanning of .cab files on all my clients by simply adding an exclusion for *.cab in the appropriate policy on the SEPM?

Here's the official KB on how to do this:

How to disable scanning of compressed files within Symantec Endpoint Protection http://www.symantec.com/docs/TECH199543 
 

With thanks and best regards,

Mick

grumbleweed's picture

Mick

Thanks for the reply.

The article describes how to disable scanning of all compressed files, not just .cab files.  It also does not describe how to disable the scan in File System Auto Protect. Why is that?

ScottSEP's picture

Hello -

I wanted to address the question regarding "the vendor was notified on April 8, 2011" from grumbleweed.

The original notification from US-CERT came in April 2011. Symantec spent time gathering as many details as possible so that we could understand the issue and test our current releases of Symantec Endpoint Protection to see if they were vulnerable. Once we established that our current releases were not affected by this issue, we turned our attention to our legacy components. Updating the legacy components takes time, and we have to consider supportability factors such as older operating systems, while at the same time being cognizant to not introduce new issues and/or risks. We are working on a plan to address this issue in the next Symantec Endpoint Protection 11 release update.

Thank you for your continued patience.

Scott Sawoya

SEP Product Management Team

Topa 101's picture

 

80/20 rule - Mitigation for SYM12-017

Build in SEPM's IPS, Custome Policy Template

rule tcp, dest=(80,443), tcp_flag&ack, saddr=$LOCALHOST, msg="CAB File detected in download Stream", regexpcontent="[Gg][Ee][Tt] .*.[Cc][Aa][Bb] .*\x0d\x0a"

 I know this is basic stuff for the most part.

But it works, and it may help some company maintain their current security posture enlight of the SYM12-017: vuln. Also, you can make it only apply to explicit applications and or Ports, even protocols, like iexplore.exe, explorer.exe, outlook.exe, Firefox.exe, ntoskrnl.exe, svchost.exe etc..

 

 

Gregory A Anderson

Symantec Certified specialist - SEP v11.x - v12.1.x

Symantec DLP 12.x Boot Camp survivor

 

.Brian's picture

Thanks for posting this

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Voltron's picture

Hello:

I just discovered this notice and am quite concerned, as I, too, cannot update my clients to 12.1, at this time, due to the hardware requirement changes.  I saw the release details of 11.0 RU7 MP3 at this link:

http://www.symantec.com/business/support/index?page=releasedetails&key=54619

My question is when can everyone get access to this maintenance pack and will this maintenance pack contain the patch/fix for this troubling vulnerability?  I do not wish to wait much longer, as the maintenance pack appears to have been released.  If my clients have to wait much longer, we will be forced to go with another solution provider, other than Symantec, which I would rather not do.

Thank you for your quick attention to this troubling issue; your clients are quite concerned over this vulnerability.

ScottSEP's picture

Hello Voltron -

SEP 11.0 RU7 MP3 has been released and is now available for download via FileConnect. This release does not contain an updated decomposer engine and is still susceptible to the vulnerability. We have a Knowledgebase article that provides details around available mitigation options. The KB article is available here: SYM12-017 Symantec Legacy Decomposer CAB File Issues KB article.  Symantec is pursuing development and deployment of the updated library via a new software update for Symantec Endpoint Protection 11. We will provide updates as soon as possible. 

Thank you for your continued patience on this issue.

Scott Sawoya

SEP Product Management Team

Danger_Mouse's picture

Thanks for the update Scott.  Any idea on when the patch will be available for SEP 11.x clients.  I appreciate you will have to go through various rounds of testing etc. but do you have a ballpark e.g. days, weeks, months?

ScottSEP's picture

We have released a Fix Tool for this issue that automates replacement of the decomposer engine for Symantec Endpoint Protection 11 RU5 to RU7 MP3.

The tool will update each RU5 to RU7 MP3 client to Decomposer version 1.2.8 and will need to be run on each client system. The SYM12-017 Symantec Legacy Decomposer CAB File Issues KB article has been updated with detailed instructions on the use of this tool. The tool can also be downloaded directly from the KB article, here: http://www.symantec.com/business/support/index?pag...

Thank you for your continued patience on this issue.

Scott Sawoya

SEP Product Management

iamadmin's picture

Hi Scott,

It's not clear to me...is there any instance where the customer will see that the utility is being executed and or that the machine will reboot or prompt for a reboot.

I'd like to deploy this via SCCM today but I can't have ANY prompts or reboots,our customers will freak out and the helpdesk will get buried and hunt me down.

Thanks,

-Mike

ScottSEP's picture

Hi MIke -

We certainly don't want end users hunting you down. :)

The tool is designed to run completely silent - no notification/prompts to the end user. You can enable logging using the /l switch after the executable if desired to see if a reboot is required, etc. All the logging outputs are detailed in the KB article.

Scott Sawoya

SEP Product Management Team

Hurricane Andrew's picture

I can speak from experience.  I just scripted the Fix Tool to run on all of our 450+ clients, including approx. 70 servers (after testing of course wink)  It could not have gone more smoothly.  Not a single hiccup throughout the deployment.

"Hurricane" Andrew

Felton, Delaware

iamadmin's picture

Thanks to you both, I've regained the warm fuzzy feeling I was looking for. smiley

Voltron's picture

Hello, ScottSEP:

Thank you and thanks to Symantec, for your quick attention to this issue.  I have downloaded the Fix Tool and have started applying it to my clients.  I did notice the readme indicated that one could see a "return," indicating the patch had been applied.  So far, I have not received any return notice; yet, the files in question, dec_abi.dll and dec3.cfg appear to have been modified/patched, as dec_abi.dll now indicates a file version of 1.2.8.4 and dec3.cfg's modification date has changed from 7/15/2009 to 11/16/2012.  After the patch has been applied and the machines restarted, the SEP client appears to be functioning, normally; so, I assume that things are all good.  If this does not sound correct, please, let me know.  Otherwise, thanks to all, once again!

ScottSEP's picture

Hello Voltron -

Thank you for the kind words.

Regarding your question: The Fix Tool runs silently by default. If you want, you can use the /l option when you run the tool, and the tool will create a logfile called SYM12_017_Fixtool.log in the user temp variable (%temp%) folder. You can reference the log file quickly to see if the files have been replaced or not. The output codes are listed in the KB article.

Best regards,

Scott Sawoya

SEP Product Management

Voltron's picture

Hello, ScottSEP:

Thank you for your quick response, once again.  I apologize for my confusion, as I had read about the /l switch, but, did not realize I had to use that, to see the “return message.”  Now, everything makes sense.  Again, thank you.

Hurricane Andrew's picture

I have a question regarding the use of the Fix Tool and subsequent upgrades with respect to SEP 11.  If the tool is run on say and RU7 MP1 client that is subsequently upgraded to the current MP3, will the decomposer engine revert to the older decomposer engine and leave my clients vulnerable again?

"Hurricane" Andrew

Felton, Delaware

ScottSEP's picture

Hello Hurricane Andrew-

The newer decomposer files will persist during an upgrade. The MSI installer will not replace the files since it will detect that the files are newer versions than what's included with MP3.

Thank you

Scott Sawoya

SEP Product Management Team

Mick2009's picture

Hi Joachim,

Given past schedules as an indication, it is safe to expect the next SEP 11 release sometime in 2013.  Don't wait for that full build to remedy this issue: definitely run the fixtool or upgrade to SEP 12.1. 

With thanks and best regards,

Mick

Mick2009's picture

Just adding new information that may be of interest:

About the LiveUpdate patch for Symantec Advisory SYM-12-017
Article:TECH200168   |  Created: 2012-11-27   |  Updated: 2012-11-28   | 
Article URL http://www.symantec.com/docs/TECH200168 
 

With thanks and best regards,

Mick

Hurricane Andrew's picture

And kudos to Symantec for releasing this fix through LiveUpdate!

"Hurricane" Andrew

Felton, Delaware

ScottSEP's picture

Thank you everyone for your patience with this issue. I am happy to announce that the fix will be available via LiveUpdate later today PST.

Best regards,

Scott Sawoya

SEP Product Management Team

Danger_Mouse's picture

Thanks Scott - within SEPM we can view an individual client, view details and see the decomposer version.  If we do a log report and choose to export we don't see that field in the exported CSV file.  Is there anyway from the SEP Manager to run a report that will show the client decomposer version, or a filter that will show the ones that have not updated?

Voltron's picture

Thank you, Symantec, for adding this information to this thread and for publishing the update, via LiveUpdate.  I started updating clients, via LiveUpdate, and they are receiving this update.  Plus, I have read the TECH200168 article and it describes the update, well.  However, in looking at my twice-updated clients (once via the Symantec FixTool and now, via LiveUpdate), I noticed that the LiveUpdate patch backed up my Dec3.cfg file and replaced the previously-updated file, dated 11/16/2012, with, what appears to be the original file date of 7/15/2009.  The TECH200168 article mentions this will happen, if I understand it correctly, if the file had been previously edited, as mine was changed (edited?), via the Symantec FixTool.  However, I would assume that the newly-created Dec3.cfg file would be given a newer file date and not revert back to the original date, possibly giving customers the impression that their previous fixes were reversed.  Is this Symantec's expected behavior and with Dec3.cfg's file date moving backward to the original date of 7/15/2009, are my clients still protected, if their dec.abi file has been patched, via LiveUpdate, with file version 1.2.8.8?

Thank you for the clarification; I appreciate everyone's efforts.

Danger_Mouse's picture

To give you a quick idea of how many clients are effected on your estate within SEPM you can choose Quick reports - report type Computer status, Sub type Protection Content Versions - set whatever advanced filter options you want and run the report.  First section of the report gives you the decomposer versions in use and the number / % of computers using the version.  Might be useful to someone.