Problem
A security bug affecting SSL 3.0 was released on October 14, 2014.
Solution
The management console for Symantec Endpoint Protection Manager (SEPM) prior to SEP 12.1.6 does use SSL 3.0. As a result, Symantec Endpoint Protection (SEP) is affected.
Impacted versions
- 12.1.x Symantec Endpoint Protection Windows client
- 12.1.5 and earlier Symantec Endpoint Protection Manager
- 12.1 Symantec Network Access Control Windows client
- 12.1.x Symantec Network Access Control Windows On-Demand client
- 12.1.x Symantec Network Access Control Mac On-Demand client
- 12.1.x Symantec Network Access Control Gateway Enforcer
- 12.1.x Symantec Network Access Control LAN Enforcer
- 12.1.x Symantec Network Access Control Integrated Enforcer
- 12.1.x RU5 Security Virtual Appliance (SVA)
- 12.1.x Symantec Endpoint Protection for Mac
- 12.1.5 Symantec Endpoint Protection Linux client
- 12.1.x Symantec Antivirus for Linux
- LiveUpdate Administrator 2.3.3 and 2.3.4
Mitigation: Secure the communication between SEPM Java console and SEPM
Note: Due to the version of Java that shipped with SEP 12.1 RTM, 12.1 RU1 and 12.1 RU1 MP1, there are some limitations to the functionality should these steps be followed.
- In a text editor, open the following file:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\ssl.conf - Change the following line:
SSLProtocol all -SSLv2
to:
SSLProtocol all -SSLv2 -SSLv3
If the line does not exist, create it. - Restart the Symantec Endpoint Protection Manager Webserver service.
- In a text editor, open the following file:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml - In the <Connector> section for port 8443, locate the following line:
sslProtocol="TLS"
Note: 8443 is the default port used for SEPM console / SEPM server communication. If you have changed the configuration, this port may be different. - Do one of the following:
- If you are using SEP 12.1 RTM, RU1, or RU1 MP1, add the following line after sslProtocol="TLS":
Protocols="TLSv1,TLSv1.1,TLSv1.2″ - If you are using a version of SEP later than RU1 MP1, add the following line after sslProtocol="TLS":
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2″
- If you are using SEP 12.1 RTM, RU1, or RU1 MP1, add the following line after sslProtocol="TLS":
- Restart the Symantec Endpoint Protection Manager service.
- If you use the Web console, ensure that the browser has TLS enabled.
Additional information for 12.1 RTM, RU1 and RU1 MP1
- The web console will fail to connect. This is a known issue with that version of JRE. The only workaround is to update to a newer version of SEP.
- The local Java console will fail to connect. To work around this problem:
- Install the latest JRE.
- Edit the file C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat to replace the path of javaw.exe with the new JRE path.
- The Remote Java console (including running locally) is not impacted.
- If at any time you upgrade SEPM to a 12.1 version that is older than RU5, follow the steps in this document again.
Mitigation: Secure the communication between SEP client and SEPM
This section is only applicable if SSL has been enabled on SEPM for client communication.
Configure SEPM to accept only TLS connections
- In a text editor, open the following file:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\httpd.conf - Remove the “#” character at the beginning of the following line:
#Include conf/ssl/sslForClients.conf - In a text editor, open the following file:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf - Change the following line:
SSLProtocol all -SSLv2
to:
SSLProtocol all -SSLv2 -SSLv3 - Restart the Symantec Endpoint Protection Manager Webserver service.
If at any time you upgrade SEPM to a 12.1 version that is older than RU5, follow the steps in this document again.
Enable TLS on communication between SEP client and SEPM
On Windows XP or 2003 clients that use Internet Explorer (IE) 6.x, enable TLS manually. All other operating systems have TLS enabled by default.
Note: This is an operating system change. Please consult Microsoft documentation should there be any questions. Also, ensure that any applicable testing is conducted to ensure no negative results with third party applications.
Enable all SSL versions and TLS1.0 for the local system account
- In the Windows registry, go to the following key:
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings - Change the DWORD value SecureProtocols to 0xa8.
- Restart the SEP service.
Mitigation: Secure the communication between Symantec Network Access Control Windows On-Demand Client and SEPM
The following changes should be made to enable TLS before using Symantec Network Access Control (SNAC) Windows On-Demand Client (WODC) on Windows XP or 2003 clients that use IE 6.x.
Note: This is an operating system change. Please consult Microsoft documentation should there be any questions. Also, ensure that any applicable testing is conducted to ensure no negative results with third party applications.
- On the client computer, log on to Windows as the user that will run WODC.
- In the Windows registry on the client computer, do one of the following:
- If the user account that runs WODC is part of the local administrators group, go to HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings, and set the SecureProtocols value to 0xa8.
- If the user account that runs WODC is not part of the local administrators group, go toHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, and set the SecureProtocols value to 0xa8.
Mitigation: Secure the communication between SEPM Remote Management Application (RMM) and SEP clients
If you do not use the RMM feature, you can disable the RMM port.
Note: Once SSL 3.0 is disabled for RMM web service ports, any client that uses this service will have to use TLS to connect. If the client does not support TLS, the connection to RMM web service will fail.
- In a text editor, open the following file:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml - In the <Connector> section for port 8446, after the line sslProtocol="TLS", add the following line:
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2″
Note: 8446 is the default port used for SEPM RMM communication. If you have configured the port, this value might be different Check your configuration settings to see the actual value. - Restart the Symantec Endpoint Protection Manager service.
If at any time you upgrade SEPM to a 12.1 version that is older than RU5, follow the steps in this document again.
Mitigation: Disable web services for Symantec Protection Center (SPC)
Disable web services for SPC. SEPM port 8444 is used for SPC communication. This port has hard-coded support for SSLv3.
Disabling web services may impact the function of SPC.
Mitigation: Secure LiveUpdate Administrator communications
If LiveUpdate Administrator is installed, disable SSL communications.
Disable SSL
- In the LiveUpdate Administrator installation folder, go to \tomcat\conf\.
- Open server.xml in a text editor.
- Find the line that begins with:
<Connector port="7073″ maxHttpHeaderSize="8192″ clientAuth="false" SSLEnabled="true" keystoreFile="../jre/bin/server-cert.ssl" … - Change
sslProtocol="TLS"
to
sslEnabledProtocols = “TLSv1,TLSv1.1,TLSv1.2″ - Save and close server.xml.
- Restart the Tomcat services.
Poodle variant CVE 2014-8730
Symantec Endpoint Protection is not affected by the Poodle variant CVE 2014-8730.
References