This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unquoted Path Vulnerability - Continuation

This is a continuation of https://community.sophos.com/intercept-x-endpoint/f/discussions/126818/unquoted-path-vulnerability---please-fix-asap. That thread is locked because of age....but the problem remains!

4 months ago you said "Its fixed in Hitmanpro version 3.8.2 which doesn't have announced dates yet, but this version is already available as a Hotfix. Hotfix after some testing becomes a part of general release (likely in June sometime)." It's now August and this still hasn't been updated. When is it going to happen?



This thread was automatically locked due to age.
Parents
  • The release for Intercept X (Hitmanpro) component 3.8.2 was halted due to some issues identified during testing. Root cause of that issue was identified and it will be now released as Hitmanpro 3.8.3 (Intercept X 2.0.23) in early September. Release team didn't provide the exact dates for the start of the general release of 3.8.3

    In the meantime, you can install the hotfix for 3.8.3 from https://support.sophos.com/support/s/article/KB-000038477

  • Thanks for the update.

    I appreciate that there is a hotfix but this not an attractive option if you have a lot of endpoints that need patching. Also, as stated in the patch, "it is not fully release tested and should be considered as a pre-release version for testing only" so it doesn't really make it suitable for wide-scale deployment. The very fact that you ran into an issue with the previous hotfix just confirms this.

  • Your concern is completely understandable! Large scale deployment with hotfix is not something that is easy to do and it does not guarantee that it will be free of any possible issues. As I mentioned in the previous post this is considered a low-risk vulnerability, as it would only succeed when all 3 of the conditions below are in effect:

    1) admin access on a system in order to make c:\program.exe

    2) The antivirus and machine learning both completely failed to detect program.exe

    3) Whatever exploit they used to get admin rights was not blocked by Hitmanpro 

    If the attacker already managed to bypass AV and has full admin access, then there is no reason for them to use this vulnerability, as they can proceed with executing the payload. 

    The GA fix 3.8.3 will be released in early September. That's, unfortunately, the only 2 options you have

    1) Deploy hotfix if it's absolutely necessary 

    2)  OR

    A)   audit your endpoint and server policies to confirm that all recommended settings are enabled 

    recommended settings:

    https://support.sophos.com/support/s/article/KB-000038564?language=en_US 

     https://support.sophos.com/support/s/article/KB-000038565?language=en_US

    B) address machines in red health state that would indicate issues with stopped services or missing components. Usually full reinstall using SophosZap removal tool would take care of any issues unless it's something local on the machine itself like registry permission issues. 

    Here are the steps for SophosZap removal tool:

    -Disable Tamper Protection
    -Download SophosZap from the link below:
    - Open an Administrative command prompt and navigate to the file location of SophosZap.exe
    - Start the application with the following command:
    SophosZap --confirm
    - Once it finishes running, please reboot and run it again, then reboot again (2nd time) when done, before reinstalling
    More details with screenshots are in the article below:
    -----------------------------------------
    Article ID: 134486
    Title: SophosZap: Frequently asked questions (FAQ)
    -----------------------------------------
    Hope that helps and please let me know if you have any further questions!
    If you run into further issues with this, please call on your local Technical Support number listed on our website: secure2.sophos.com/.../support.aspx and we can start helping you right away!

     Steps A and B would help to mitigate risks overall. Hope that helps! 

  • Hi @PavSupport -

    Are there any updates on when the new update will be released? We are are out of compliance until this vulnerability gets resolved. I am aware of the hotfix, but we don't have the resources or time to manually install this on all 150+ affected devices. Thanks for any information you can provide.

    Best,

    Jack

  • I checked with our escalation team and unfortunately, the dates for release were not announced yet. 

  • any update on this? It's been 9 months now and every month I have to report to our directors that this hasn't been fixed. Doesn't give a good impression and they are questioning Sophos's attitude to security and whether we should change to a different product. It doesn't really matter how difficult it is to exploit, the fact it even exists shows sloppy programming and the fact you won't fix it in a timely manner reflects badly on Sophos.

  • Actually, that should be fixed by now. See: https://docs.sophos.com/releasenotes/output/en-us/esg/sesc_interceptx_rn.html

    The November release pushed out Intercept X 2.0.23, which includes the fix for this issue. 

    __________________________________________________________________________________________________________________

  • Thanks for pointing that out . None of our estates have received the update yet so we are still seeing the issue. I notice there is no mention of this issue in the release notes (that I could find) but hopefully that is just an oversight.

  • I sent a request to our Documentation team and the release notes https://docs.sophos.com/releasenotes/index.html?productGroupID=esg&productID=sesc_interceptx&versionID=allVersions were updated with the following: 

    WINEP-30725 HitmanPro.Alert Fixed unquoted path stored in registry (CVE-2021-25269).

    For endpoints the release will be completed by Nov 18. For servers by Dec 07.

  • More of a general question but is there any way to force a software update from Sophos Central or do we just have to wait until the rollout gets to us? I did try the 'Update' option on a client but it didn't seem to achieve that - does that just do pattern updates?

  • Sophos client checks for an update right after reboot (when the Autoupdate service re-starts) and every 60 minutes after that. Virus signature updates happen 3-4 times a day. Component updates happen weeks-months apart and are downloaded and installed by the endpoint client once they are available. Here is an article that talks more about updating https://support.sophos.com/support/s/article/KB-000042881?language=en_US

    You can force trigger an update from Central by pressing Update when looking at a specific endpoint or on the machine itself through the interface by pressing "update now".

    In your case you would also need to check if you are 

    1) using controlled updates (for servers and endpoints - in Global settings) - if yes, then you would need to make sure to press "update test group and then match the rest of the machines with the test group once the update is available)

    2) using Update schedule policy (you can find it among other policies) - eg. updating at a specific time of the day and specific day of the week. (eg. even if an update is available it will not be downloaded\installed until a specific day of the week\time that you may indicate in the policy). If the machine is off during that time - it works as a scheduled task and it will need to wait until the next occurrence of the event. 

    Hope that helps!

  • An excellent explanation but it isn't working for me.

    I was fairly sure we aren't using controlled updates or an update schedule but I checked them anyway.

    I did an 'Update Now' and it shows 'Update succeeded' in 'Recent Events' but I am still on Intercept X 2.0.22 with Hitman Pro 3.8.1

Reply
  • An excellent explanation but it isn't working for me.

    I was fairly sure we aren't using controlled updates or an update schedule but I checked them anyway.

    I did an 'Update Now' and it shows 'Update succeeded' in 'Recent Events' but I am still on Intercept X 2.0.22 with Hitman Pro 3.8.1

Children
  • This is likely because you are not in the group of customers that are getting this release today. The release for endpoints will go from Nov 8 to 18 depending on groups of customers and other internal release logic. For servers everything will be completed by Dec 07. This means that your environment will get those updates available in that date range. 

    The article that I mentioned above https://support.sophos.com/support/s/article/KB-000042881 talks about it:

    "For Sophos Central, we release Endpoint and Server product updates at any time during the year. In addition, due to the dynamic nature of the product, these releases can change at any point and can differ between customers." 

    If it's critical for you to get that update asap, please raise a case with support, who can escalate it to GES team and move your account to get the update right away. Otherwise, if you do nothing, then you will be able to see your endpoints having that update by Nov 18. 

  • I did read the article but the wording is a bit ambiguous, it would be simpler if it just said that updates are rolled out over a period of x weeks (or something similar).

    This is much what I expected and is typical for these sorts of updates. It clearly doesn't make sense to build the infrastructure to update everybody on day 1 and then have it sitting idle. TBH I'm quite happy to not be among the first to get updated unless there is a 0 day vulnerability that needs addressing.

    In this case, I wanted to try it out, but it certainly isn't critical enough to raise a support case...I've waited this long already ;)

    This goes back to my original question, is it possible to force an update, and the short answer is no! That said, your replies have been very informative and I have gained some useful knowledge. Thanks for taking the time to explain everything.

  • how accurate are those dates you quoted (Nov 8 to 18)? We have five sites with Intercept X Advanced and none of the clients at those sites have updated to 2.0.23. We haven't made any changes to Controlled Updates.

  • Hi,

    We are also not seeing the update come through yet. Any updates on when it will be released to endpoints? This is a major issue for us, because we are leaving a high level vulnerability on our laptops by having this unquoted path in existence. It's just ironic that it would be the antivirus program, and a bit frustrating. 

    Thanks,
    Jack

  • Hello Jack and JasP,

    When checking on the status of this release, it looks like a bug was found where Intercept X isn’t able to run alongside Forcepoint Websense DLP. Our development team is still looking into this issue, so the release was put on hold after the initial groups it was pushed out to. 

    If you urgently require the updated Intercept X version, it can still be obtained via the following KBA link.
    - Sophos Exploit Prevention cumulative hotfix

    The KBA linked above has also been updated with information surrounding this CVE. Currently, it states that this is expected to be fully released as of January 2022.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • It's taken me this long to reply because your response left me speechless!

    That will be 10 months since you introduced this issue. Whatever arguments about how serious this is, we still have to report it every month to senior management and it makes Sophos look incompetent, especially when it is an issue they created themselves through a schoolboy error in their installation routine. Having reported that a fix had been released, we now have to go back and say "sorry, going to be another two months (at least) but with their current record it could be even longer".

    What I'm really struggling to understand is why Sophos didn't just release an incremental update straight away that just fixed the registry issue. Instead, they have insisted on fixing a load of other software issues at the same time before they will release an update and fix the security problem. Why? This has unnecessarily dragged on and on and on.

  • Our deepest apologies for the delays in getting this fix to General Availability.

    We are looking into building out functionality directly from Sophos Central, that will allow you to deploy a hotfix package across your environment which will bridge this gap should you run into a similar situation in the future.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Sounds like a good idea.