Endpoint Protection

"...Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company...."

http://www.computerworld.com/s/article/9250047/Zero_day_flaws_found_in_Symantec_s_Endpoint_Protection?taxonomyId=17

Is this being addressed? How? Is there anything we (customers) can do to mitigate these risks? Is the issue(s) in only certain versions of the product (ex: 11.x versus 12.1)?

Symantec is investigating per the article. From past experience, they should address this fairly quickly and have a workaround in place until a code fix is implemented.

Scary stuff.

Hi GadJeff,

I can confirm that Symantec is aware of the report and is investigating the issue.  When there is additional information to communicate, I will make it a point to update this thread.

Many thanks,

Mick

I hope Symantec is able to fix this through a Liveupdate fix like they did with the SEPM New years bug of 2010 that was fixed in a matter of days without the need of any local action. Most likely when Offensive Security release the sourcecode Symantec will block the exploit code with signatures as well.

I am interested in finding out what versions are affected and what the solution will be. I hope this is solved through liveupdate.

+1 for those hoping and praying for a fix delivered via LiveUpdate...not sure we'll see it though,

My gut tells me that won't be the case, and that the unthinkable of re-deploying new SEP Agents will be required. This is really the last thing a Managed Services provider wants to hear, especially as we're about 95% done in our current deployment to ALL our customers, but fingers crossed a LiveUpdate option will be possible.

If not, there's going to be a lot of unhappy people around here.

Here's the KB article guys:
http://www.symantec.com/docs/TECH223338

It affects all SEP 11 and 12.1 Agents, and only the "Application and Device Control" component.
Don't use App Control? Well, then you shouldn't be affected it seems.

Original claim is from here:
http://www.offensive-security.com/vulndev/symantec-endpoint-protection-0day/

Hello all,

Symantec's official article on the subject is now available.  An extract:

Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014)
http://www.symantec.com/docs/TECH223338

...

No known compromise has been reported. The vulnerability is considered medium severity, and is being handled by Symantec with the utmost urgency and care.

The issue, as reported, affects the Application and Device Control component of Symantec Endpoint Protection. This vulnerability is not accessible remotely and only affects SEP clients actually running Application and Device Control. If the vulnerability is exploited by accessing the machine directly, it could result in a client crash, denial of service, or, if successful, escalate to admin privileges and gain control of the system.

This vulnerability affects all versions of Symantec Endpoint Protection clients 11.x and 12.x running Application and Device Control.

The Symantec Endpoint Protection Manager, Symantec Endpoint Protection SBE, SEP.cloud and Symantec Network Access Control are not affected.

....

A workaround is available now- I will post another update when additional information or a solution is available.

Many thanks,

Mick  
 

Mick,

From what we, and our local Symantec BCS support contacts, can determine there is no manner in which to identify via the SEPM or its back-end DB, if a SEP Agent has the "Application & Device Control" components installed on it.

We have gone as far as checking the DBM schema, and the closet thing we can find is the following:

SEM_AGENT PTP_ONOFF tinyint 1   ((127)) Enabled state of Proactive threat protection is
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127

However, "SONAR" and "Application & Device Control" together make up "Proactive Threat Protection".
We have systems that only have "SONAR" deployed. We can verify if SONAR is installed by checking the following in the DB schema:

SEM_AGENT BASH_STATUS tinyint 1   ((0)) SONAR status:
0 = off
1= on
2 = not installed
3 = off by policy
4 = malfunction
It was meant to be for more granular op-state, but currently, it is the same as PTP_ONOFF.

However there is no granular such value specifically for the "Application & Device Control" portion of PTP. This appears to be a massive failing in the design of the SEPM back-end.

Any suggestions? Or do we have no choice but to ask our Desktop and Server support admins to run "sc query sysplant" across every single endpoint device?
 

P.S. Before anyone asks the question, "how could we not know what features we deploy in our SEP agents", we are a Managed Services provider, and frequently acquire new customers, where we inherit exisitng SEP environments, where such information was never recorded by the customer or their previous vendor, and therefore not provided to us during transition.

Hi,

Is there any way, we can identify compromised machine from this zero day flaw.

Also, Is it possible for SEPM console to do so?

If the ADC component is installed but no policy has ever been applied, will it enable the sysplant driver?

Hi Everyone,

So, looking at our SEPM we have the default application/device control policy enabled from the installation. It looks to block the autorun.inf file. I'm assuming, we are in the camp of the work around. Correct? How do we know for sure that our clients are using application device control?

Thanks in advance.

Mike

Run from the command prompt, sc query sysplant

This is an important question . Could we get an answer from Symantec , please ?

Ah, good call. The driver is totally running.

Even with no policy applied (nor has it ever been) the driver is still running....

SEPM -> Monitors -> Logs -> Log type: Application and Device Control -> Advanced Settings -> Event Type: Application Control Driver -> View Log..
 

This works, but, only if a policy is applied.

If no policy is applied (even though ADC is installed and sysplant running), it comes up empty.

I've just run the command...

sc query sysplant
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

I'm assuming it means I don't have it running then?

This means the SEP Agent on your machine is not using the driver that "Application & Device Control" requires.

Many may have missed my lengthy post above, that details that the SEPM's DB is far from adequate for identifying which, if any, of your SEP Agents have the ADC component installed and being loaded during system boot time, which is crucial inorder to identify how exposed you are to this 0-day vulnerability.

We've been consulting with our Symantec BCS Engineer, and they have confirmed this lack of functionality, which is very disappointing.

That said, our next idea was to see if there is an event generated when ADC is loaded when the SEP Agent's services start. Thankfully, they've managed to find that there is.

Here is a query you can run on your SEPM DB (both SQL Server or Internal Sygate DB users) that will return a list of all your endpoints that are loading the ADC (sysplant) driver when the SEP Agent starts.

select distinct EVENT_ID, EVENT_TIME, HARDWARE_KEY, HOST_NAME, DESCRIPTION, CALLER_PROCESS_NAME, CALLER_RETURN_MODULE_NAME from V_AGENT_BEHAVIOR_LOG where event_id in ('501', '502')

From here you can then choose what you want to do of the two options Symantec have suggested. Their first option disables the drivers from loading, the other is to uninstall the ADC component of SEP completely.
Either option requires a reboot, and therefore creates a massive impact for those who have thousands of affected endpoints across their customers, particularly those with mobile users (laptops etc)

Hi,

Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1b (RU4 MP1b) is available currently in English on Symantec FileConnect. Please see Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control for additional instruction on downloading this release.  All supported languages will be released to FileConnect as soon as they are available. This Knowledge Base article will be updated as further information becomes available.  Please subscribe to TECH22338 to receive update notifications automatically.

This version updates the Symantec Endpoint Protection clients to 12.1.4112.4156 to address this issue. There are no updates to the Symantec Endpoint Protection Manager included with this release. This Symantec Endpoint Protection client update is a complete release and accepts migrations from any previous release of the Symantec Endpoint Protection 11.0 and 12.1 product line.

Symantec Endpoint Protection 12.1 for Small Business is not affected, so there are no updates for this issue.

Following article is now updated with the shared info: 

Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014)

http://www.symantec.com/docs/TECH223338 

How could the clients be only patched against the ADC vuln, instead of deploying the whole installation package?

You need to deploy the whole package (patch). It's a full upgrade.

Hi guys.

Is this patch available in Altiris.

OR

Can you please provide me the installer file for the same.

Does this patch/version fix the SMB2 share issue affecting Windows 2008 servers like this other forum posting refers to? 
https://www-secure.symantec.com/connect/forums/network-shares-stop-responding-randomly-windows-server-2008-r2 

Are there any other patches/fixes included in this release as well?

It fixes the 0-day only.

Hi,

The link you shared is not working. But I think this fix is limited to ADC vulnerability only

No other patches/fixes included in this release.

This explains things a little further and a signature has been createdhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00

Link:

https://www-secure.symantec.com/connect/forums/network-shares-stop-responding-randomly-windows-server-2008-r2

This issue is not addressed in this patch

@Brian - thanks.

That is Symantec way to bring everyone on the latest and greatest version :). To patch it in a relatively short time by upgrading to a full version, which requires restarts and  some good time testing it's not breaking anything, is a challenge itself.  

The block signatures help since it's buying us time with the upgrades. Has anyone seen a block of the actual exploit code?

Does this signature mean that we no longer need to update our SEPM servers and all of our clients?

What signature/block is being referred to here?

It says here Symantec released/updated Bloodhound.Exploit.554 to include a detection and block on this exploit. Anyone has more info on the actual effectiveness?

Symantec Security Response has released Bloodhound.Exploit.554 for this type of issue. This detection is available through normal Symantec security updates.

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140804_00

exploit code has been released: http://www.exploit-db.com/exploits/34272/

Steven,

I tried you query on the my SQL Server and it worked. I am not to familar with SQL statements though. Is there a way to add a time filter to the query. Lets say  applying you query  between the hours of 8/08/14 10 PM and 8/11/14 10AM?