Unquoted Path Vulnerability - Continuation

Question

This is a continuation of https://community.sophos.com/intercept-x-endpoint/f/discussions/126818/unquoted-path-vulnerability---please-fix-asap . That thread is locked because of age....but the problem remains! 
 PavSupport 4 months ago you said " I ts fixed in Hitmanpro version 3.8.2 which doesn't have announced dates yet, but this version is already available as a Hotfix. Hotfix after some testing becomes a part of general release (likely in June sometime). " It's now August and this still hasn't been updated. When is it going to happen?

PavSupport · Accepted Answer

JasP This is likely because you are not in the group of customers that are getting this release today. The release for endpoints will go from Nov 8 to 18 depending on groups of customers and other internal release logic. For servers everything will be completed by Dec 07. This means that your environment will get those updates available in that date range. 
 The article that I mentioned above https://support.sophos.com/support/s/article/KB-000042881 talks about it: 
 "For Sophos Central, we release Endpoint and Server product updates at any time during the year. In addition, due to the dynamic nature of the product, these releases can change at any point and can differ between customers." 
 If it's critical for you to get that update asap, please raise a case with support, who can escalate it to GES team and move your account to get the update right away. Otherwise, if you do nothing, then you will be able to see your endpoints having that update by Nov 18.

PavSupport · Answer

I sent a request to our Documentation team and the release notes https://docs.sophos.com/releasenotes/index.html?productGroupID=esg&productID=sesc_interceptx&versionID=allVersions were updated with the following:

WINEP-30725 
 HitmanPro.Alert 
 Fixed unquoted path stored in registry (CVE-2021-25269).

For endpoints the release will be completed by Nov 18. For servers by Dec 07.

PavSupport · Answer

Your concern is completely understandable! Large scale deployment with hotfix is not something that is easy to do and it does not guarantee that it will be free of any possible issues. As I mentioned in the previous post this is considered a low-risk vulnerability, as it would only succeed when all 3 of the conditions below are in effect: 
 1) admin access on a system in order to make c:\program.exe 
 2) The antivirus and machine learning both completely failed to detect program.exe 
 3) Whatever exploit they used to get admin rights was not blocked by Hitmanpro 
 If the attacker already managed to bypass AV and has full admin access, then there is no reason for them to use this vulnerability, as they can proceed with executing the payload. 
 The GA fix 3.8.3 will be released in early September. That's, unfortunately, the only 2 options you have 
 1) Deploy hotfix if it's absolutely necessary 
 2) OR 
 A) audit your endpoint and server policies to confirm that all recommended settings are enabled 
 recommended settings: 
 https://support.sophos.com/support/s/article/KB-000038564?language=en_US 
 https://support.sophos.com/support/s/article/KB-000038565?language=en_US 
 B) address machines in red health state that would indicate issues with stopped services or missing components. Usually full reinstall using SophosZap removal tool would take care of any issues unless it's something local on the machine itself like registry permission issues. 
 Here are the steps for SophosZap removal tool: 
 -Disable Tamper Protection 
 -Download SophosZap from the link below: 
 www.sophos.com/.../DownloadRedirect.aspx 
 - Open an Administrative command prompt and navigate to the file location of SophosZap.exe 
 - Start the application with the following command: 
 SophosZap --confirm 
 - Once it finishes running, please reboot and run it again, then reboot again (2nd time) when done, before reinstalling 
 
 More details with screenshots are in the article below: 
 
 ----------------------------------------- 
 Article ID: 134486 
 Title: SophosZap: Frequently asked questions (FAQ) 
 URL: https://support.sophos.com/support/s/article/KB-000038989?language=en_US 
 ----------------------------------------- 
 
 Hope that helps and please let me know if you have any further questions! 
 
 If you run into further issues with this, please call on your local Technical Support number listed on our website: secure2.sophos.com/.../support.aspx&#160;and we can start helping you right away! 
 
 Steps A and B would help to mitigate risks overall. Hope that helps!

PavSupport · Answer

Sophos client checks for an update right after reboot (when the Autoupdate service re-starts) and every 60 minutes after that. Virus signature updates happen 3-4 times a day. Component updates happen weeks-months apart and are downloaded and installed by the endpoint client once they are available. Here is an article that talks more about updating https://support.sophos.com/support/s/article/KB-000042881?language=en_US 
 You can force trigger an update from Central by pressing Update when looking at a specific endpoint or on the machine itself through the interface by pressing "update now". 
 In your case you would also need to check if you are 
 1) using controlled updates (for servers and endpoints - in Global settings) - if yes, then you would need to make sure to press "update test group and then match the rest of the machines with the test group once the update is available) 
 2) using Update schedule policy (you can find it among other policies) - eg. updating at a specific time of the day and specific day of the week. (eg. even if an update is available it will not be downloaded\installed until a specific day of the week	ime that you may indicate in the policy). If the machine is off during that time - it works as a scheduled task and it will need to wait until the next occurrence of the event. 
 Hope that helps!

PavSupport · Answer

The release for Intercept X (Hitmanpro) component 3.8.2 was halted due to some issues identified during testing. Root cause of that issue was identified and it will be now released as Hitmanpro 3.8.3 ( Intercept X 2.0.23 ) in early September. Release team didn't provide the exact dates for the start of the general release of 3.8.3 
 
 In the meantime, you can install the hotfix for 3.8.3 from https://support.sophos.com/support/s/article/KB-000038477 .

Unquoted Path Vulnerability - Continuation

Top Replies