ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

About Symantec Endpoint Protection and the Poodle SSL 3.0 vulnerability (CVE-2014-3566)

book

Article ID: 161327

calendar_today

Updated On:

Products

Endpoint Protection Network Access Control

Issue/Introduction

A security bug affecting SSL 3.0 was released on October 14, 2014.

Resolution

The management console for Symantec Endpoint Protection Manager (SEPM) prior to SEP 12.1.6 does use SSL 3.0. As a result, Symantec Endpoint Protection (SEP) is affected.
 

Contents

Affected versions
  • 12.1.x Symantec Endpoint Protection Windows client
  • 12.1.5 and earlier Symantec Endpoint Protection Manager
  • 12.1 Symantec Network Access Control Windows client
  • 12.1.x Symantec Network Access Control Windows On-Demand client
  • 12.1.x Symantec Network Access Control Mac On-Demand client
  • 12.1.x Symantec Network Access Control Gateway Enforcer
  • 12.1.x Symantec Network Access Control LAN Enforcer
  • 12.1.x Symantec Network Access Control Integrated Enforcer
  • 12.1.x RU5 Security Virtual Appliance (SVA)
  • 12.1.x Symantec Endpoint Protection for Mac
  • 12.1.5 Symantec Endpoint Protection Linux client
  • 12.1.x Symantec AntiVirus for Linux
  • LiveUpdate Administrator 2.3.3 and 2.3.4

 

Mitigation: Secure the communication between SEPM Java console and SEPM

 

Note: Due to the version of Java that shipped with SEP 12.1 RTM, 12.1 RU1 and 12.1 RU1 MP1, there are some limitations to the functionality should these steps be followed. See the Additional Information section for details.

  1. In a text editor, open the following file:

    C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\ssl.conf
  2. Change the following line:

    SSLProtocol all -SSLv2


    to:

    SSLProtocol all -SSLv2 -SSLv3

    If the line does not exist, create it.
  3. Restart the Symantec Endpoint Protection Manager Webserver service.
  4. In a text editor, open the following file:

    C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml
  5. In the <Connector> section for port 8443, locate the following line:

    sslProtocol="TLS"

    Note: 8443 is the default port used for SEPM console / SEPM server communication. If you have changed the configuration, this port may be different.
  6. Do one of the following:
    • If you are using SEP 12.1 RTM, RU1, or RU1 MP1, add the following line after sslProtocol="TLS":

      Protocols="TLSv1,TLSv1.1,TLSv1.2"
       
    • If you are using a version of SEP later than RU1 MP1, add the following line after sslProtocol="TLS":

      sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
       
  7. Restart the Symantec Endpoint Protection Manager service.
  8. If you use the Web console, ensure that the browser has TLS enabled.

  Additional information for 12.1 RTM, RU1 and RU1 MP1

  • The web console will fail to connect. This is a known issue with that version of JRE. The only workaround is to update to a newer version of SEP.
  • The local Java console will fail to connect. To work around this problem:
    1. Install the latest JRE.
    2. Edit the file C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat to replace the path of javaw.exe with the new JRE path.
  • The Remote Java console (including running locally) is not affected.
  • If at any time you upgrade SEPM to a 12.1 version that is older than RU5, follow the steps in this document again.

 

Mitigation: Secure the communication between SEP client and SEPM

This section is only applicable if SSL has been enabled on SEPM for client communication.

Due to a signing certificate change, certain versions of Windows Server 2003 and XP require that you apply a patch to ensure continued communication. For more information, see Upcoming change to validation certificates for Endpoint Protection reputation lookups may affect Windows XP / Server 2003.

 

Configure SEPM to accept only TLS connections

 

  1. In a text editor, open the following file:

    C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\httpd.conf
  2. Remove the “#” character at the beginning of the following line:

    #Include conf/ssl/sslForClients.conf
  3. In a text editor, open the following file:

    C:\Program Files\Symantec\Symantec Endpoint Protection  Manager\apache\conf\ssl\sslForClients.conf
  4. Change the following line:

    SSLProtocol all -SSLv2

    to:

    SSLProtocol all -SSLv2 -SSLv3
  5. Restart the Symantec Endpoint Protection Manager Webserver service.

If at any time you upgrade SEPM to a 12.1 version that is older than RU5, follow the steps in this document again.  

 

Enable TLS on communication between SEP client and SEPM

On Windows XP or 2003 clients that use Internet Explorer (IE) 6.x, enable TLS manually. All other operating systems have TLS enabled by default.

Note: This is an operating system change. Please consult Microsoft documentation should there be any questions. Also, ensure that any applicable testing is conducted to ensure no negative results with third party applications.

Enable all SSL versions and TLS1.0 for the local system account

  1. In the Windows registry, go to the following key:

    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings
     
  2. Change the DWORD value SecureProtocols to 0xa8.
  3. Restart the SEP service.

 

Mitigation: Secure the communication between Symantec Network Access Control Windows On-Demand Client and SEPM

The following changes should be made to enable TLS before using Symantec Network Access Control (SNAC) Windows On-Demand Client (WODC) on Windows XP or 2003 clients that use IE 6.x.

Note: This is an operating system change. Please consult Microsoft documentation should there be any questions. Also, ensure that any applicable testing is conducted to ensure no negative results with third party applications.

  1. On the client computer, log on to Windows as the user that will run WODC.
  2. In the Windows registry on the client computer, do one of the following:
    • If the user account that runs WODC is part of the local administrators group, go to HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings, and set the SecureProtocols value to 0xa8.
    • If the user account that runs WODC is not part of the local administrators group, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, and set the SecureProtocols value to 0xa8.

 

Mitigation: Secure the communication between SEPM Remote Management Application (RMM) and SEP clients

If you do not use the RMM feature, you can disable the RMM port.

Note: Once SSL 3.0 is disabled for RMM web service ports, any client that uses this service will have to use TLS to connect. If the client does not support TLS, the connection to RMM web service will fail.

  1. In a text editor, open the following file:

    C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml
     
  2. In the <Connector> section for port 8446, after the line sslProtocol="TLS", add the following line:

    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

    Note: 8446 is the default port used for SEPM RMM communication. If you have configured the port, this value might be different Check your configuration settings to see the actual value.

  3. Restart the Symantec Endpoint Protection Manager service.

If at any time you upgrade SEPM to a 12.1 version that is older than RU5, follow the steps in this document again.

Mitigation: Disable web services for Symantec Protection Center (SPC)

Disable web services for SPC. SEPM port 8444 is used for SPC communication. This port has hard-coded support for SSLv3.

Disabling web services may impact the function of SPC.

Mitigation: Secure LiveUpdate Administrator communications

 If LiveUpdate Administrator is installed, disable SSL communications.

Disable SSL

  1. In the LiveUpdate Administrator installation folder, go to \tomcat\conf\.
  2. Open server.xml in a text editor.
  3. Find the line that begins with:

    <Connector port="7073" maxHttpHeaderSize="8192" clientAuth="false" SSLEnabled="true" keystoreFile="../jre/bin/server-cert.ssl" ...
     
  4. Change

    sslProtocol="TLS"

    to

    sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2"
     
  5. Save and close server.xml.
  6. Restart the Tomcat services.

Poodle variant CVE 2014-8730

 Symantec Endpoint Protection is not affected by the Poodle variant CVE 2014-8730.