Hi Por997,

Here's the full advisory:

Security Advisories Relating to Symantec Products - Symantec Legacy Decomposer CAB File Issues
SYM12-017
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121107_00

Anyone running SEP 12.1 has nothing to worry about.  Symantec recommends all customers migrate to the latest version of affected products to address threats of this nature.

Also: Symantec is not aware of any customers affected by this issue or any malicious attempts to exploit this issue.  There's currently no malware in the wild which exploits the vulnerability.

Cutting and pasting, for convenience:

Mitigations

Disable CAB file scanning

As a workaround, users may disable CAB file scanning until a more permanent fix is available or user has moved to the current SEP 12.1 release.

                Note:  This will only disable the decomposer engine from scanning inside a compressed CAB file during a manual scan.  Once the CAB file is extracted, AutoProtect or a manual scan would detect the files and remediate any threats detected.

To disable CAB scanning:

1.In Windows Explorer, open the Symantec Endpoint Protection installation folder. The location of this folder varies by product and operating system
2.Make a backup copy of the file Dec3.cfg, e.g., Dec3_backup.cfg
3.In an ASCII text editor such as Notepad, open the file Dec3.cfg
4.The fifth line of the file contains a number that corresponds to the number of .dll files listed below it. Verify that this is the case
5.Reduce the number in the fifth line by 1
6.Find the following line:
          Dec2CAB.dll
7.Remove the Dec2CAB.dll line and the line that immediately follows.
8.Close and save the Dec3.cfg file
9.Restart the Symantec Endpoint Protection service
 

Best Practices
As part of normal best practices, Symantec strongly recommends:

• Restrict access to administration or management systems to privileged users.
• Restrict remote access, if required, to trusted/authorized systems only.
• Run under the principle of least privilege where possible to limit the impact of exploit by threats.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

 

Hope this helps!

With thanks and best regards,

Mick

Hello,

A BIG Thumbs up for the above Comment.

Here is another Thread with similar Issue: 

https://www-secure.symantec.com/connect/forums/sep-11-critical-vulnerability-cve-2012-4953

Hope that helps!!

Can someone explain:

NOTE: Only the currently supported products still on the older decomposer engine in this table are impacted by this issue. NONE of our other currently supported products are affected.

Does this mean we could have SEP11 but with the current decomposer engine?

We have SEP11 RU6 deployed with a Decomposer agent version 1.2.5.130, is this a "older decompser engine"?

Hi

My SEP11 estate is also not likely to be upgraded to SEP 12.1 anytime soon, so I need to understand the options.  Two questions:

1. Can I disable scanning of .cab files on all my clients by simply adding an exclusion for *.cab in the appropriate policy on the SEPM?

2. With that exclusion in place, presumably the files inside a .cab file get scanned by autoprotect when they are written to disk, thereby mitigating some of the risk?

One more thing - on this article -

http://www.securitytracker.com/id/1027726

there is a statement that says "The vendor was notified on April 8, 2011"

Taken at face value that suggests Symantec have been aware of this issue for over a year.  Is that correct?

1. Can I disable scanning of .cab files on all my clients by simply adding an exclusion for *.cab in the appropriate policy on the SEPM?

Here's the official KB on how to do this:

How to disable scanning of compressed files within Symantec Endpoint Protection http://www.symantec.com/docs/TECH199543 
 

Mick

Thanks for the reply.

The article describes how to disable scanning of all compressed files, not just .cab files.  It also does not describe how to disable the scan in File System Auto Protect. Why is that?

Hello -

I wanted to address the question regarding "the vendor was notified on April 8, 2011" from grumbleweed.

The original notification from US-CERT came in April 2011. Symantec spent time gathering as many details as possible so that we could understand the issue and test our current releases of Symantec Endpoint Protection to see if they were vulnerable. Once we established that our current releases were not affected by this issue, we turned our attention to our legacy components. Updating the legacy components takes time, and we have to consider supportability factors such as older operating systems, while at the same time being cognizant to not introduce new issues and/or risks. We are working on a plan to address this issue in the next Symantec Endpoint Protection 11 release update.

Thank you for your continued patience.

Scott Sawoya

SEP Product Management Team

80/20 rule - Mitigation for SYM12-017

Build in SEPM's IPS, Custome Policy Template

rule tcp, dest=(80,443), tcp_flag&ack, saddr=$LOCALHOST, msg="CAB File detected in download Stream", regexpcontent="[Gg][Ee][Tt] .*.[Cc][Aa][Bb] .*\x0d\x0a"

 I know this is basic stuff for the most part.

But it works, and it may help some company maintain their current security posture enlight of the SYM12-017: vuln. Also, you can make it only apply to explicit applications and or Ports, even protocols, like iexplore.exe, explorer.exe, outlook.exe, Firefox.exe, ntoskrnl.exe, svchost.exe etc..

Hello:

I just discovered this notice and am quite concerned, as I, too, cannot update my clients to 12.1, at this time, due to the hardware requirement changes.  I saw the release details of 11.0 RU7 MP3 at this link:

http://www.symantec.com/business/support/index?page=releasedetails&key=54619

My question is when can everyone get access to this maintenance pack and will this maintenance pack contain the patch/fix for this troubling vulnerability?  I do not wish to wait much longer, as the maintenance pack appears to have been released.  If my clients have to wait much longer, we will be forced to go with another solution provider, other than Symantec, which I would rather not do.

Thank you for your quick attention to this troubling issue; your clients are quite concerned over this vulnerability.

Thanks for your update Scott.

Thanks for the update Scott.  Any idea on when the patch will be available for SEP 11.x clients.  I appreciate you will have to go through various rounds of testing etc. but do you have a ballpark e.g. days, weeks, months?

We have released a Fix Tool for this issue that automates replacement of the decomposer engine for Symantec Endpoint Protection 11 RU5 to RU7 MP3.

The tool will update each RU5 to RU7 MP3 client to Decomposer version 1.2.8 and will need to be run on each client system. The SYM12-017 Symantec Legacy Decomposer CAB File Issues KB article has been updated with detailed instructions on the use of this tool. The tool can also be downloaded directly from the KB article, here: http://www.symantec.com/business/support/index?pag...

Thank you for your continued patience on this issue.

Scott Sawoya

SEP Product Management

Hello, ScottSEP:

Thank you and thanks to Symantec, for your quick attention to this issue.  I have downloaded the Fix Tool and have started applying it to my clients.  I did notice the readme indicated that one could see a "return," indicating the patch had been applied.  So far, I have not received any return notice; yet, the files in question, dec_abi.dll and dec3.cfg appear to have been modified/patched, as dec_abi.dll now indicates a file version of 1.2.8.4 and dec3.cfg's modification date has changed from 7/15/2009 to 11/16/2012.  After the patch has been applied and the machines restarted, the SEP client appears to be functioning, normally; so, I assume that things are all good.  If this does not sound correct, please, let me know.  Otherwise, thanks to all, once again!

Hello Voltron -

Thank you for the kind words.

Regarding your question: The Fix Tool runs silently by default. If you want, you can use the /l option when you run the tool, and the tool will create a logfile called SYM12_017_Fixtool.log in the user temp variable (%temp%) folder. You can reference the log file quickly to see if the files have been replaced or not. The output codes are listed in the KB article.

Best regards,

Scott Sawoya

SEP Product Management

Hello, ScottSEP:

Thank you for your quick response, once again.  I apologize for my confusion, as I had read about the /l switch, but, did not realize I had to use that, to see the “return message.”  Now, everything makes sense.  Again, thank you.

I have a question regarding the use of the Fix Tool and subsequent upgrades with respect to SEP 11.  If the tool is run on say and RU7 MP1 client that is subsequently upgraded to the current MP3, will the decomposer engine revert to the older decomposer engine and leave my clients vulnerable again?

Hello Hurricane Andrew-

The newer decomposer files will persist during an upgrade. The MSI installer will not replace the files since it will detect that the files are newer versions than what's included with MP3.

Thank you

Scott Sawoya

SEP Product Management Team

Can we expect a SEP 11 RU7 MP4 soon?

Hi Joachim,

Given past schedules as an indication, it is safe to expect the next SEP 11 release sometime in 2013.  Don't wait for that full build to remedy this issue: definitely run the fixtool or upgrade to SEP 12.1. 

Just adding new information that may be of interest:

About the LiveUpdate patch for Symantec Advisory SYM-12-017
Article:TECH200168   |  Created: 2012-11-27   |  Updated: 2012-11-28   | 
Article URL http://www.symantec.com/docs/TECH200168 
 

thumbs up for sharing above fix :-)

Thank you everyone for your patience with this issue. I am happy to announce that the fix will be available via LiveUpdate later today PST.

Best regards,

Scott Sawoya

SEP Product Management Team

Thanks Scott - within SEPM we can view an individual client, view details and see the decomposer version.  If we do a log report and choose to export we don't see that field in the exported CSV file.  Is there anyway from the SEP Manager to run a report that will show the client decomposer version, or a filter that will show the ones that have not updated?

Followers of this thread may wish to cast a vote for or against the following proposed enhancement request:

Add Decomposer Information to SEPM Client Inventory Reports
https://www-secure.symantec.com/connect/ideas/add-decomposer-information-sepm-client-inventory-reports

Thank you, Symantec, for adding this information to this thread and for publishing the update, via LiveUpdate.  I started updating clients, via LiveUpdate, and they are receiving this update.  Plus, I have read the TECH200168 article and it describes the update, well.  However, in looking at my twice-updated clients (once via the Symantec FixTool and now, via LiveUpdate), I noticed that the LiveUpdate patch backed up my Dec3.cfg file and replaced the previously-updated file, dated 11/16/2012, with, what appears to be the original file date of 7/15/2009.  The TECH200168 article mentions this will happen, if I understand it correctly, if the file had been previously edited, as mine was changed (edited?), via the Symantec FixTool.  However, I would assume that the newly-created Dec3.cfg file would be given a newer file date and not revert back to the original date, possibly giving customers the impression that their previous fixes were reversed.  Is this Symantec's expected behavior and with Dec3.cfg's file date moving backward to the original date of 7/15/2009, are my clients still protected, if their dec.abi file has been patched, via LiveUpdate, with file version 1.2.8.8?

Thank you for the clarification; I appreciate everyone's efforts.