A security bug affecting OpenSSL was announced this week (07-Apr-2014). OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable.
Symantec Endpoint Protection Manager (SEPM) utilizes OpenSSL. As a result, some versions of SEPM are affected.
- Symantec Endpoint Protection clients are not impacted.
- No versions of Symantec Endpoint Protection 11 (SEP) are impacted by this issue.
- SEPM 12.1 RTM to SEPM 12.1 RU1 MP1 are not impacted. They use an earlier version of OpenSSL that is not vulnerable.
- SEPM 12.1 RU2 to SEPM 12.1 RU4 MP1 (inclusive) are vulnerable. They utilize OpenSSL 1.0.1.
- Login to the SEPM
- Click Policies
- Click Firewall
- Right-click your existing firewall policy
- Click Edit
- Click Rules
- Click Add Blank Rule. If the rule is not created at the top of the firewall rule list, select the new rule and use the Move Up button to move the rule to the top of the list.
- Rename the rule to: Block 8445 Communication
- Set the rule's action to: Block
- Set Application to: Any
- Set Host to: Any
- Right-click Service and click Edit
- Click Add
- Set Protocol to: TCP
- Put a dot in the radial button: Local/Remote
- In Local Port, enter: 8445 (Note: This is the default port. If you have configured your SEPM to use a different port for reporting, substitute that port here.)
- Leave Remote Port blank.
- Set Direction to: Incoming
- Click OK
- Right-click Log and click Write to Traffic Log
- Click OK
- Right-click the firewall policy and click Assign. Assign it to the group(s) which contain your SEPM(s) servers.
Once you configure the policy from within the Symantec Endpoint Protection Manager, you will need to wait for the policy to propagate to the Symantec Endpoint Protection client installed on the SEPM server(s) prior to testing. To force the SEP client to download the modified policy immediately, right-click the SEP system-tray icon and click Update Policy.
To confirm that the rule applied successfully, simply telnet to port 8445. (Note: This is the default port. If you have configured your SEPM to use a different port for reporting, substitute that port here.). If the rule is configured correctly, the firewall successfully blocks traffic and does not permit a connection to the port. You may then examine the Traffic log of the SEP client on the SEPM server to confirm that SEP blocked the connection. See steps below.
How do I confirm that SEP blocked communication to the reporting port using the Firewall rule I created (above)?
- In the system tray, double-click the Symantec Endpoint Protection (SEP) to open the SEP client
- Click View Logs
- Click View Logs next to Network Threat Protection
- Click Traffic Log
- Confirm you see the blocked attempt to connect to port 8445. (Note: This is the default port. If you have configured your SEPM to use a different port for reporting, substitute that port here.)