FAQ - PartnerNet

advertisement
Symantec Endpoint Protection
Application and Device Control Vulnerability
Internal Symantec and Partners
Topic
Audience
Date
Customer Support
SEP Zero-Day Vulnerability
Symantec Sales & Partners
July 29, 2014
Endpoint Protection Technical
Support
Kariann_sewell@symantec.com
Sara_pan@symantec.com
Product Marketing
Symantec Endpoint Protection 0-day reported by Offensive
Security
On Tuesday, July 29th, Offensive Security published information
Questions or
Comments
on their website, claiming that they have found several
vulnerabilities, including a zero-day, within Symantec Endpoint
Protection. According to Offensive Security, they have relayed
some information to CERT, but will be making additional details and vulnerabilities known during their
presentation at the Black Hat conference in Las Vegas next week. Their write-up is accompanied by a video
demonstrating how this vulnerability can be exploited.
No known compromise has been reported; the vulnerability is considered medium severity, and is being
handled by Symantec with the utmost urgency and care. While Offensive Security did not use responsible
disclosure procedures and contact Symantec prior to public announcement, Symantec’s Engineers have
acknowledged the vulnerability and responded quickly.
Action Required by Customer (using Application and Device Control)
 View the SEP ADC Zero-Day KB Article
o Register for notifications as additional information is available
 Go to FileConnect
o Install SEP 12.1 RU4 MP1b (available Aug 4)
 Follow mitigating measures for Application and Device Control
Reactive Media Statement
Symantec is aware of the reported Symantec Endpoint Protection (SEP) vulnerabilities and is currently
investigating the matter. Our top priority is ensuring that our customers are protected and we will update
them as soon as we have more information.
Versions Impacted
Affected Product
Symantec Endpoint
Protection Client
Symantec Endpoint
Protection Client
Version
11
Build
All
12.1
All





Solution and Mitigating Option(s)
Update to SEP 12.1 RU4 MP1b
Withdraw the ADC policy
Update to SEP 12.1 RU4 MP1b
Uninstall the ADC component
Withdraw ADC policy and disable the
sysplant.sys driver on the client
Nature of the Vulnerability
The issue, as reported, only affects the Application and Device Control component of Symantec Endpoint
Protection. This vulnerability is not accessible remotely and only affects SEP clients actually running
Application and Device Control. If the vulnerability is exploited by accessing the machine directly, it could
Symantec Partner and Internal
©2014 Symantec
Symantec Endpoint Protection
Application and Device Control Vulnerability
Internal Symantec and Partners
result in a client crash, denial of service or, if successful, escalate to admin privileges and gain control of the
system.
Key Resources
Symantec Advisory Page (available Aug 4th)
SEP ADC Zero-Day KB Article
FAQ
Q1: Which versions of Symantec Endpoint Protection does this vulnerability affect?
A: This vulnerability affects Symantec Endpoint Protection 11.0 RTM to 12.1.4
Q2: Is Symantec Endpoint Protection 12.1 Small Business Edition, Symantec Endpoint Protection.cloud (SEP
SBE) or Symantec Network Access Control (SNAC) affected by this vulnerability?
A: No. SEP SBE 12.1, SEP.cloud and SNAC do not include Application and Device Control and are therefore not
affected.
Q3: What documentation is available?
A: The Advisory is the primary point of information for customers, and the SEP ADC Zero-Day KB Article
provides supporting information and additional mitigating measures.
Q4: How is Symantec notifying customers and partners?
A: Customers who sign up for BCS Bulletins will receive an alert when the Advisory publishes. A reactive
communication infrastructure is in place through Support and the KB Article, however, Symantec is NOT
sending widespread notifications to all customers since the vulnerability is limited to those using Application
and Device Control, is not accessible remotely, and is considered medium (rather than high) severity.
Q5: What are the mitigation options?
A: All customers should upgrade to SEP 12.1.RU4 1b (when available) or follow further mitigating options. SEP
11 customers can withdraw the ADC policy and SEP 12.1 customers can uninstall the ADC component as
mitigation. For details on how to execute mitigating measures, refer to the SEP ADC Zero-Day KB Article.
 SEP 12.1, uninstall the Application and Device Control (ADC) component:
o From your Symantec Endpoint Protection Manager (SEPM) navigate to Admin, Install Packages
and click on the Client Install Feature Set and select to Add Client Install Feature Set.
o Choose to remove Application and Device Control (ADC) and select OK.
o Navigate to Clients Group and select Add Install Packages.
o Uncheck Maintain Feature Set and select your newly created Feature Set.
o Select the newly created feature set once for 32 bit and once for 64 bit. All Symantec Endpoint
Protection (SEP) clients are moved to that new feature set without the ADC component
installed.
 SEP 12.1, disable the ADC driver manually:
o From your SEPM console, withdraw the Application and Device Control policy (if applicable)
o From your SEPM console, disable Tamper Protection.
Symantec Partner and Internal
©2014 Symantec
Symantec Endpoint Protection
Application and Device Control Vulnerability
Internal Symantec and Partners
o At the local client, or via a remote script, set the Sysplant.sys driver to start manually.
o Reboot the client.
o From your SEPM console, reenable Tamper Protection.


SEP 11, deploy a SEPM policy with ADC disabled:
o From your Symantec Endpoint Protection Manager (SEPM) navigate to Groups, Policy tab and
select your Application and Device Control (ADC) policy.
o Click Tasks and disable your ADC policy, select Yes.
o Symantec Endpoint Protection (SEP) clients will require a reboot for ADC to be fully disabled.
Q6: Are customers required to update to the Symantec Endpoint Protection Manager?
A: No. The Symantec Endpoint Protection Clients requires an update.
Q7: Offensive Security reported “a multitude of vulnerabilities” that will be reviewed during Black Hat 2014. Is
Symantec aware of the additional vulnerabilities, and when will a solution or other mitigating steps be
available?
A: Symantec is aware of the announcement and actively awaiting further information regarding the
vulnerabilities to respond as quickly as possible.
Q8: When will SEP 12.1.RU4 MP1b be available?
A: Symantec is currently awaiting further information related to the vulnerabilities for code verification so the
solution can be validated. Symantec is currently code reviewing the areas reported as vulnerable in Offensive
Security’s post and is fixing the identified vulnerable code, but may require additional time to create a more
comprehensive solution that covers the suspected multiple vulnerabilities.
Q9: If my customer has further questions, where should I direct them?
A: The SEP ADC Zero-Day KB Article will have the most up-to-date information and provide a way for
customers to register for updates. For further information, please work with your local SEP Backline team or
contact Symantec Technical Support.
Symantec Partner and Internal
©2014 Symantec
Download