Video Screencast Help

"Zero-day flaws found in Symantec's Endpoint Protection" - ComputerWorld Article: 7/30/14 @ 6:29am ET

Created: 30 Jul 2014 • Updated: 07 Aug 2014 | 40 comments
This issue has been solved. See solution.

"...Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company...."

http://www.computerworld.com/s/article/9250047/Zero_day_flaws_found_in_Symantec_s_Endpoint_Protection?taxonomyId=17

Is this being addressed? How? Is there anything we (customers) can do to mitigate these risks? Is the issue(s) in only certain versions of the product (ex: 11.x versus 12.1)?

Operating Systems:

Comments 40 CommentsJump to latest comment

.Brian's picture

Symantec is investigating per the article. From past experience, they should address this fairly quickly and have a workaround in place until a code fix is implemented.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi GadJeff,

I can confirm that Symantec is aware of the report and is investigating the issue.  When there is additional information to communicate, I will make it a point to update this thread.

Many thanks,

Mick

With thanks and best regards,

Mick

Mick2009's picture

Hello all,

Symantec's official article on the subject is now available.  An extract:

 

Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014)
http://www.symantec.com/docs/TECH223338

...

No known compromise has been reported. The vulnerability is considered medium severity, and is being handled by Symantec with the utmost urgency and care.

The issue, as reported, affects the Application and Device Control component of Symantec Endpoint Protection. This vulnerability is not accessible remotely and only affects SEP clients actually running Application and Device Control. If the vulnerability is exploited by accessing the machine directly, it could result in a client crash, denial of service, or, if successful, escalate to admin privileges and gain control of the system.

This vulnerability affects all versions of Symantec Endpoint Protection clients 11.x and 12.x running Application and Device Control.

The Symantec Endpoint Protection Manager, Symantec Endpoint Protection SBE, SEP.cloud and Symantec Network Access Control are not affected.

....

 

A workaround is available now- I will post another update when additional information or a solution is available.

Many thanks,

Mick  
 

With thanks and best regards,

Mick

Steven Kintakas's picture

Mick,

From what we, and our local Symantec BCS support contacts, can determine there is no manner in which to identify via the SEPM or its back-end DB, if a SEP Agent has the "Application & Device Control" components installed on it.

We have gone as far as checking the DBM schema, and the closet thing we can find is the following:

SEM_AGENT PTP_ONOFF tinyint 1   ((127)) Enabled state of Proactive threat protection is
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127

However, "SONAR" and "Application & Device Control" together make up "Proactive Threat Protection".
We have systems that only have "SONAR" deployed. We can verify if SONAR is installed by checking the following in the DB schema:

SEM_AGENT BASH_STATUS tinyint 1   ((0)) SONAR status:
0 = off
1= on
2 = not installed
3 = off by policy
4 = malfunction
It was meant to be for more granular op-state, but currently, it is the same as PTP_ONOFF.

However there is no granular such value specifically for the "Application & Device Control" portion of PTP. This appears to be a massive failing in the design of the SEPM back-end.

Any suggestions? Or do we have no choice but to ask our Desktop and Server support admins to run "sc query sysplant" across every single endpoint device?
 

P.S. Before anyone asks the question, "how could we not know what features we deploy in our SEP agents", we are a Managed Services provider, and frequently acquire new customers, where we inherit exisitng SEP environments, where such information was never recorded by the customer or their previous vendor, and therefore not provided to us during transition.

 

“When it comes to enterprise software…you need to work within the product’s ‘strengths’.”

TORB's picture

I hope Symantec is able to fix this through a Liveupdate fix like they did with the SEPM New years bug of 2010 that was fixed in a matter of days without the need of any local action. Most likely when Offensive Security release the sourcecode Symantec will block the exploit code with signatures as well.

 

 

Byrong_777's picture

I am interested in finding out what versions are affected and what the solution will be. I hope this is solved through liveupdate.

Steven Kintakas's picture

+1 for those hoping and praying for a fix delivered via LiveUpdate...not sure we'll see it though,

My gut tells me that won't be the case, and that the unthinkable of re-deploying new SEP Agents will be required. This is really the last thing a Managed Services provider wants to hear, especially as we're about 95% done in our current deployment to ALL our customers, but fingers crossed a LiveUpdate option will be possible.

If not, there's going to be a lot of unhappy people around here.

“When it comes to enterprise software…you need to work within the product’s ‘strengths’.”

Steven Kintakas's picture

Here's the KB article guys:
http://www.symantec.com/docs/TECH223338

It affects all SEP 11 and 12.1 Agents, and only the "Application and Device Control" component.
Don't use App Control? Well, then you shouldn't be affected it seems.

Original claim is from here:
http://www.offensive-security.com/vulndev/symantec...

“When it comes to enterprise software…you need to work within the product’s ‘strengths’.”

KK_4984's picture

Hi,

Is there any way, we can identify compromised machine from this zero day flaw.

Also, Is it possible for SEPM console to do so?

.Brian's picture

If the ADC component is installed but no policy has ever been applied, will it enable the sysplant driver?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

postechgeek's picture

Hi Everyone,

So, looking at our SEPM we have the default application/device control policy enabled from the installation. It looks to block the autorun.inf file. I'm assuming, we are in the camp of the work around. Correct? How do we know for sure that our clients are using application device control?

Thanks in advance.

Mike

 

iasen's picture

SEPM -> Monitors -> Logs -> Log type: Application and Device Control -> Advanced Settings -> Event Type: Application Control Driver -> View Log..
 

.Brian's picture

This works, but, only if a policy is applied.

If no policy is applied (even though ADC is installed and sysplant running), it comes up empty.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Even with no policy applied (nor has it ever been) the driver is still running....

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Tony Sutton's picture

I've just run the command...

sc query sysplant
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

 

I'm assuming it means I don't have it running then?

Steven Kintakas's picture

This means the SEP Agent on your machine is not using the driver that "Application & Device Control" requires.

Many may have missed my lengthy post above, that details that the SEPM's DB is far from adequate for identifying which, if any, of your SEP Agents have the ADC component installed and being loaded during system boot time, which is crucial inorder to identify how exposed you are to this 0-day vulnerability.

We've been consulting with our Symantec BCS Engineer, and they have confirmed this lack of functionality, which is very disappointing.

That said, our next idea was to see if there is an event generated when ADC is loaded when the SEP Agent's services start. Thankfully, they've managed to find that there is.

Here is a query you can run on your SEPM DB (both SQL Server or Internal Sygate DB users) that will return a list of all your endpoints that are loading the ADC (sysplant) driver when the SEP Agent starts.

select distinct EVENT_ID, EVENT_TIME, HARDWARE_KEY, HOST_NAME, DESCRIPTION, CALLER_PROCESS_NAME, CALLER_RETURN_MODULE_NAME from V_AGENT_BEHAVIOR_LOG where event_id in ('501', '502')

From here you can then choose what you want to do of the two options Symantec have suggested. Their first option disables the drivers from loading, the other is to uninstall the ADC component of SEP completely.
Either option requires a reboot, and therefore creates a massive impact for those who have thousands of affected endpoints across their customers, particularly those with mobile users (laptops etc)

“When it comes to enterprise software…you need to work within the product’s ‘strengths’.”

Chetan Savade's picture

Hi,

Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1b (RU4 MP1b) is available currently in English on Symantec FileConnect. Please see Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this release.  All supported languages will be released to FileConnect as soon as they are available. This Knowledge Base article will be updated as further information becomes available.  Please subscribe to TECH22338 to receive update notifications automatically.

This version updates the Symantec Endpoint Protection clients to 12.1.4112.4156 to address this issue. There are no updates to the Symantec Endpoint Protection Manager included with this release. This Symantec Endpoint Protection client update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 11.0 and 12.1 product line.

Symantec Endpoint Protection 12.1 for Small Business is not affected, so there are no updates for this issue.

Following article is now updated with the shared info: 

Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014)

http://www.symantec.com/docs/TECH223338 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
Chetan Savade's picture

No other patches/fixes included in this release.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

TORB's picture

@Mick2009 Have Symantec created AV signatures for the exploit code used? (If possible)

aa23's picture

How could the clients be only patched against the ADC vuln, instead of deploying the whole installation package?

.Brian's picture

You need to deploy the whole package (patch). It's a full upgrade.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Krunal Solanki's picture

Hi guys.

 

Is this patch available in Altiris.

OR

Can you please provide me the installer file for the same.

GadJeff's picture

Does this patch/version fix the SMB2 share issue affecting Windows 2008 servers like this other forum posting refers to? 
https://www-secure.symantec.com/connect/forums/net...

 

.Brian's picture

It fixes the 0-day only.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

The link you shared is not working. But I think this fix is limited to ADC vulnerability only

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

.Brian's picture

This issue is not addressed in this patch

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

aa23's picture

@Brian - thanks.

That is Symantec way to bring everyone on the latest and greatest version :). To patch it in a relatively short time by upgrading to a full version, which requires restarts and  some good time testing it's not breaking anything, is a challenge itself.  

The block signatures help since it's buying us time with the upgrades. Has anyone seen a block of the actual exploit code?

ed16's picture

Does this signature mean that we no longer need to update our SEPM servers and all of our clients?

.Brian's picture

What signature/block is being referred to here?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

aa23's picture

It says here Symantec released/updated Bloodhound.Exploit.554 to include a detection and block on this exploit. Anyone has more info on the actual effectiveness?

 

Symantec Security Response has released Bloodhound.Exploit.554 for this type of issue. This detection is available through normal Symantec security updates.

 

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00

.Brian's picture

Exploit code is released when off sec presents at black hat tomorrow or Thursday. Could probably test then.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rigo's picture

Steven,

I tried you query on the my SQL Server and it worked. I am not to familar with SQL statements though. Is there a way to add a time filter to the query. Lets say  applying you query  between the hours of 8/08/14 10 PM and 8/11/14 10AM?