Unquoted Path Vulnerability - Continuation

This is a continuation of https://community.sophos.com/intercept-x-endpoint/f/discussions/126818/unquoted-path-vulnerability---please-fix-asap. That thread is locked because of age....but the problem remains!

4 months ago you said "Its fixed in Hitmanpro version 3.8.2 which doesn't have announced dates yet, but this version is already available as a Hotfix. Hotfix after some testing becomes a part of general release (likely in June sometime)." It's now August and this still hasn't been updated. When is it going to happen?

  • Hi There,

    Thank you for reaching us, with regards to the version of hotfix which is currently released to our knowledge base article. There’s no major update of the version as of now. though as you can see, the content of this article is up to date. Most likely we release a Version update once there’s a major bug fix that needs to be sorted out through this hotfix. As of now the said version that we have can fix some bugs which are currently faced on endpoint till present.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • The release for Intercept X (Hitmanpro) component 3.8.2 was halted due to some issues identified during testing. Root cause of that issue was identified and it will be now released as Hitmanpro 3.8.3 (Intercept X 2.0.23) in early September. Release team didn't provide the exact dates for the start of the general release of 3.8.3

    In the meantime, you can install the hotfix for 3.8.3 from https://support.sophos.com/support/s/article/KB-000038477

  • Thanks for the update.

    I appreciate that there is a hotfix but this not an attractive option if you have a lot of endpoints that need patching. Also, as stated in the patch, "it is not fully release tested and should be considered as a pre-release version for testing only" so it doesn't really make it suitable for wide-scale deployment. The very fact that you ran into an issue with the previous hotfix just confirms this.

  • Your concern is completely understandable! Large scale deployment with hotfix is not something that is easy to do and it does not guarantee that it will be free of any possible issues. As I mentioned in the previous post this is considered a low-risk vulnerability, as it would only succeed when all 3 of the conditions below are in effect:

    1) admin access on a system in order to make c:\program.exe

    2) The antivirus and machine learning both completely failed to detect program.exe

    3) Whatever exploit they used to get admin rights was not blocked by Hitmanpro 

    If the attacker already managed to bypass AV and has full admin access, then there is no reason for them to use this vulnerability, as they can proceed with executing the payload. 

    The GA fix 3.8.3 will be released in early September. That's, unfortunately, the only 2 options you have

    1) Deploy hotfix if it's absolutely necessary 

    2)  OR

    A)   audit your endpoint and server policies to confirm that all recommended settings are enabled 

    recommended settings:

    https://support.sophos.com/support/s/article/KB-000038564?language=en_US 

     https://support.sophos.com/support/s/article/KB-000038565?language=en_US

    B) address machines in red health state that would indicate issues with stopped services or missing components. Usually full reinstall using SophosZap removal tool would take care of any issues unless it's something local on the machine itself like registry permission issues. 

    Here are the steps for SophosZap removal tool:

    -Disable Tamper Protection
    -Download SophosZap from the link below:
    - Open an Administrative command prompt and navigate to the file location of SophosZap.exe
    - Start the application with the following command:
    SophosZap --confirm
    - Once it finishes running, please reboot and run it again, then reboot again (2nd time) when done, before reinstalling
    More details with screenshots are in the article below:
    -----------------------------------------
    Article ID: 134486
    Title: SophosZap: Frequently asked questions (FAQ)
    -----------------------------------------
    Hope that helps and please let me know if you have any further questions!
    If you run into further issues with this, please call on your local Technical Support number listed on our website: secure2.sophos.com/.../support.aspx and we can start helping you right away!

     Steps A and B would help to mitigate risks overall. Hope that helps! 

  • Hi @PavSupport -

    Are there any updates on when the new update will be released? We are are out of compliance until this vulnerability gets resolved. I am aware of the hotfix, but we don't have the resources or time to manually install this on all 150+ affected devices. Thanks for any information you can provide.

    Best,

    Jack

  • I checked with our escalation team and unfortunately, the dates for release were not announced yet. 

  • any update on this? It's been 9 months now and every month I have to report to our directors that this hasn't been fixed. Doesn't give a good impression and they are questioning Sophos's attitude to security and whether we should change to a different product. It doesn't really matter how difficult it is to exploit, the fact it even exists shows sloppy programming and the fact you won't fix it in a timely manner reflects badly on Sophos.

  • Actually, that should be fixed by now. See: https://docs.sophos.com/releasenotes/output/en-us/esg/sesc_interceptx_rn.html

    The November release pushed out Intercept X 2.0.23, which includes the fix for this issue. 

    __________________________________________________________________________________________________________________

  • Thanks for pointing that out . None of our estates have received the update yet so we are still seeing the issue. I notice there is no mention of this issue in the release notes (that I could find) but hopefully that is just an oversight.

  • I sent a request to our Documentation team and the release notes https://docs.sophos.com/releasenotes/index.html?productGroupID=esg&productID=sesc_interceptx&versionID=allVersions were updated with the following: 

    WINEP-30725 HitmanPro.Alert Fixed unquoted path stored in registry (CVE-2021-25269).

    For endpoints the release will be completed by Nov 18. For servers by Dec 07.