Symantec Endpoint Protection Application and Device Control Vulnerability Internal Symantec and Partners Topic Audience Date Customer Support SEP Zero-Day Vulnerability Symantec Sales & Partners July 29, 2014 Endpoint Protection Technical Support Kariann_sewell@symantec.com Sara_pan@symantec.com Product Marketing Symantec Endpoint Protection 0-day reported by Offensive Security On Tuesday, July 29th, Offensive Security published information Questions or Comments on their website, claiming that they have found several vulnerabilities, including a zero-day, within Symantec Endpoint Protection. According to Offensive Security, they have relayed some information to CERT, but will be making additional details and vulnerabilities known during their presentation at the Black Hat conference in Las Vegas next week. Their write-up is accompanied by a video demonstrating how this vulnerability can be exploited. No known compromise has been reported; the vulnerability is considered medium severity, and is being handled by Symantec with the utmost urgency and care. While Offensive Security did not use responsible disclosure procedures and contact Symantec prior to public announcement, Symantec’s Engineers have acknowledged the vulnerability and responded quickly. Action Required by Customer (using Application and Device Control) View the SEP ADC Zero-Day KB Article o Register for notifications as additional information is available Go to FileConnect o Install SEP 12.1 RU4 MP1b (available Aug 4) Follow mitigating measures for Application and Device Control Reactive Media Statement Symantec is aware of the reported Symantec Endpoint Protection (SEP) vulnerabilities and is currently investigating the matter. Our top priority is ensuring that our customers are protected and we will update them as soon as we have more information. Versions Impacted Affected Product Symantec Endpoint Protection Client Symantec Endpoint Protection Client Version 11 Build All 12.1 All Solution and Mitigating Option(s) Update to SEP 12.1 RU4 MP1b Withdraw the ADC policy Update to SEP 12.1 RU4 MP1b Uninstall the ADC component Withdraw ADC policy and disable the sysplant.sys driver on the client Nature of the Vulnerability The issue, as reported, only affects the Application and Device Control component of Symantec Endpoint Protection. This vulnerability is not accessible remotely and only affects SEP clients actually running Application and Device Control. If the vulnerability is exploited by accessing the machine directly, it could Symantec Partner and Internal ©2014 Symantec Symantec Endpoint Protection Application and Device Control Vulnerability Internal Symantec and Partners result in a client crash, denial of service or, if successful, escalate to admin privileges and gain control of the system. Key Resources Symantec Advisory Page (available Aug 4th) SEP ADC Zero-Day KB Article FAQ Q1: Which versions of Symantec Endpoint Protection does this vulnerability affect? A: This vulnerability affects Symantec Endpoint Protection 11.0 RTM to 12.1.4 Q2: Is Symantec Endpoint Protection 12.1 Small Business Edition, Symantec Endpoint Protection.cloud (SEP SBE) or Symantec Network Access Control (SNAC) affected by this vulnerability? A: No. SEP SBE 12.1, SEP.cloud and SNAC do not include Application and Device Control and are therefore not affected. Q3: What documentation is available? A: The Advisory is the primary point of information for customers, and the SEP ADC Zero-Day KB Article provides supporting information and additional mitigating measures. Q4: How is Symantec notifying customers and partners? A: Customers who sign up for BCS Bulletins will receive an alert when the Advisory publishes. A reactive communication infrastructure is in place through Support and the KB Article, however, Symantec is NOT sending widespread notifications to all customers since the vulnerability is limited to those using Application and Device Control, is not accessible remotely, and is considered medium (rather than high) severity. Q5: What are the mitigation options? A: All customers should upgrade to SEP 12.1.RU4 1b (when available) or follow further mitigating options. SEP 11 customers can withdraw the ADC policy and SEP 12.1 customers can uninstall the ADC component as mitigation. For details on how to execute mitigating measures, refer to the SEP ADC Zero-Day KB Article. SEP 12.1, uninstall the Application and Device Control (ADC) component: o From your Symantec Endpoint Protection Manager (SEPM) navigate to Admin, Install Packages and click on the Client Install Feature Set and select to Add Client Install Feature Set. o Choose to remove Application and Device Control (ADC) and select OK. o Navigate to Clients Group and select Add Install Packages. o Uncheck Maintain Feature Set and select your newly created Feature Set. o Select the newly created feature set once for 32 bit and once for 64 bit. All Symantec Endpoint Protection (SEP) clients are moved to that new feature set without the ADC component installed. SEP 12.1, disable the ADC driver manually: o From your SEPM console, withdraw the Application and Device Control policy (if applicable) o From your SEPM console, disable Tamper Protection. Symantec Partner and Internal ©2014 Symantec Symantec Endpoint Protection Application and Device Control Vulnerability Internal Symantec and Partners o At the local client, or via a remote script, set the Sysplant.sys driver to start manually. o Reboot the client. o From your SEPM console, reenable Tamper Protection. SEP 11, deploy a SEPM policy with ADC disabled: o From your Symantec Endpoint Protection Manager (SEPM) navigate to Groups, Policy tab and select your Application and Device Control (ADC) policy. o Click Tasks and disable your ADC policy, select Yes. o Symantec Endpoint Protection (SEP) clients will require a reboot for ADC to be fully disabled. Q6: Are customers required to update to the Symantec Endpoint Protection Manager? A: No. The Symantec Endpoint Protection Clients requires an update. Q7: Offensive Security reported “a multitude of vulnerabilities” that will be reviewed during Black Hat 2014. Is Symantec aware of the additional vulnerabilities, and when will a solution or other mitigating steps be available? A: Symantec is aware of the announcement and actively awaiting further information regarding the vulnerabilities to respond as quickly as possible. Q8: When will SEP 12.1.RU4 MP1b be available? A: Symantec is currently awaiting further information related to the vulnerabilities for code verification so the solution can be validated. Symantec is currently code reviewing the areas reported as vulnerable in Offensive Security’s post and is fixing the identified vulnerable code, but may require additional time to create a more comprehensive solution that covers the suspected multiple vulnerabilities. Q9: If my customer has further questions, where should I direct them? A: The SEP ADC Zero-Day KB Article will have the most up-to-date information and provide a way for customers to register for updates. For further information, please work with your local SEP Backline team or contact Symantec Technical Support. Symantec Partner and Internal ©2014 Symantec