This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unquoted Path Vulnerability - Continuation

This is a continuation of https://community.sophos.com/intercept-x-endpoint/f/discussions/126818/unquoted-path-vulnerability---please-fix-asap. That thread is locked because of age....but the problem remains!

4 months ago you said "Its fixed in Hitmanpro version 3.8.2 which doesn't have announced dates yet, but this version is already available as a Hotfix. Hotfix after some testing becomes a part of general release (likely in June sometime)." It's now August and this still hasn't been updated. When is it going to happen?



This thread was automatically locked due to age.
Parents
  • The release for Intercept X (Hitmanpro) component 3.8.2 was halted due to some issues identified during testing. Root cause of that issue was identified and it will be now released as Hitmanpro 3.8.3 (Intercept X 2.0.23) in early September. Release team didn't provide the exact dates for the start of the general release of 3.8.3

    In the meantime, you can install the hotfix for 3.8.3 from https://support.sophos.com/support/s/article/KB-000038477

  • Thanks for the update.

    I appreciate that there is a hotfix but this not an attractive option if you have a lot of endpoints that need patching. Also, as stated in the patch, "it is not fully release tested and should be considered as a pre-release version for testing only" so it doesn't really make it suitable for wide-scale deployment. The very fact that you ran into an issue with the previous hotfix just confirms this.

Reply
  • Thanks for the update.

    I appreciate that there is a hotfix but this not an attractive option if you have a lot of endpoints that need patching. Also, as stated in the patch, "it is not fully release tested and should be considered as a pre-release version for testing only" so it doesn't really make it suitable for wide-scale deployment. The very fact that you ran into an issue with the previous hotfix just confirms this.

Children
  • Your concern is completely understandable! Large scale deployment with hotfix is not something that is easy to do and it does not guarantee that it will be free of any possible issues. As I mentioned in the previous post this is considered a low-risk vulnerability, as it would only succeed when all 3 of the conditions below are in effect:

    1) admin access on a system in order to make c:\program.exe

    2) The antivirus and machine learning both completely failed to detect program.exe

    3) Whatever exploit they used to get admin rights was not blocked by Hitmanpro 

    If the attacker already managed to bypass AV and has full admin access, then there is no reason for them to use this vulnerability, as they can proceed with executing the payload. 

    The GA fix 3.8.3 will be released in early September. That's, unfortunately, the only 2 options you have

    1) Deploy hotfix if it's absolutely necessary 

    2)  OR

    A)   audit your endpoint and server policies to confirm that all recommended settings are enabled 

    recommended settings:

    https://support.sophos.com/support/s/article/KB-000038564?language=en_US 

     https://support.sophos.com/support/s/article/KB-000038565?language=en_US

    B) address machines in red health state that would indicate issues with stopped services or missing components. Usually full reinstall using SophosZap removal tool would take care of any issues unless it's something local on the machine itself like registry permission issues. 

    Here are the steps for SophosZap removal tool:

    -Disable Tamper Protection
    -Download SophosZap from the link below:
    - Open an Administrative command prompt and navigate to the file location of SophosZap.exe
    - Start the application with the following command:
    SophosZap --confirm
    - Once it finishes running, please reboot and run it again, then reboot again (2nd time) when done, before reinstalling
    More details with screenshots are in the article below:
    -----------------------------------------
    Article ID: 134486
    Title: SophosZap: Frequently asked questions (FAQ)
    -----------------------------------------
    Hope that helps and please let me know if you have any further questions!
    If you run into further issues with this, please call on your local Technical Support number listed on our website: secure2.sophos.com/.../support.aspx and we can start helping you right away!

     Steps A and B would help to mitigate risks overall. Hope that helps! 

  • Hi @PavSupport -

    Are there any updates on when the new update will be released? We are are out of compliance until this vulnerability gets resolved. I am aware of the hotfix, but we don't have the resources or time to manually install this on all 150+ affected devices. Thanks for any information you can provide.

    Best,

    Jack

  • I checked with our escalation team and unfortunately, the dates for release were not announced yet. 

  • any update on this? It's been 9 months now and every month I have to report to our directors that this hasn't been fixed. Doesn't give a good impression and they are questioning Sophos's attitude to security and whether we should change to a different product. It doesn't really matter how difficult it is to exploit, the fact it even exists shows sloppy programming and the fact you won't fix it in a timely manner reflects badly on Sophos.

  • Actually, that should be fixed by now. See: https://docs.sophos.com/releasenotes/output/en-us/esg/sesc_interceptx_rn.html

    The November release pushed out Intercept X 2.0.23, which includes the fix for this issue. 

    __________________________________________________________________________________________________________________

  • Thanks for pointing that out . None of our estates have received the update yet so we are still seeing the issue. I notice there is no mention of this issue in the release notes (that I could find) but hopefully that is just an oversight.

  • I sent a request to our Documentation team and the release notes https://docs.sophos.com/releasenotes/index.html?productGroupID=esg&productID=sesc_interceptx&versionID=allVersions were updated with the following: 

    WINEP-30725 HitmanPro.Alert Fixed unquoted path stored in registry (CVE-2021-25269).

    For endpoints the release will be completed by Nov 18. For servers by Dec 07.

  • More of a general question but is there any way to force a software update from Sophos Central or do we just have to wait until the rollout gets to us? I did try the 'Update' option on a client but it didn't seem to achieve that - does that just do pattern updates?

  • Sophos client checks for an update right after reboot (when the Autoupdate service re-starts) and every 60 minutes after that. Virus signature updates happen 3-4 times a day. Component updates happen weeks-months apart and are downloaded and installed by the endpoint client once they are available. Here is an article that talks more about updating https://support.sophos.com/support/s/article/KB-000042881?language=en_US

    You can force trigger an update from Central by pressing Update when looking at a specific endpoint or on the machine itself through the interface by pressing "update now".

    In your case you would also need to check if you are 

    1) using controlled updates (for servers and endpoints - in Global settings) - if yes, then you would need to make sure to press "update test group and then match the rest of the machines with the test group once the update is available)

    2) using Update schedule policy (you can find it among other policies) - eg. updating at a specific time of the day and specific day of the week. (eg. even if an update is available it will not be downloaded\installed until a specific day of the week\time that you may indicate in the policy). If the machine is off during that time - it works as a scheduled task and it will need to wait until the next occurrence of the event. 

    Hope that helps!

  • An excellent explanation but it isn't working for me.

    I was fairly sure we aren't using controlled updates or an update schedule but I checked them anyway.

    I did an 'Update Now' and it shows 'Update succeeded' in 'Recent Events' but I am still on Intercept X 2.0.22 with Hitman Pro 3.8.1