This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unquoted Path Vulnerability - Continuation

This is a continuation of https://community.sophos.com/intercept-x-endpoint/f/discussions/126818/unquoted-path-vulnerability---please-fix-asap. That thread is locked because of age....but the problem remains!

4 months ago you said "Its fixed in Hitmanpro version 3.8.2 which doesn't have announced dates yet, but this version is already available as a Hotfix. Hotfix after some testing becomes a part of general release (likely in June sometime)." It's now August and this still hasn't been updated. When is it going to happen?



This thread was automatically locked due to age.
Parents
  • The release for Intercept X (Hitmanpro) component 3.8.2 was halted due to some issues identified during testing. Root cause of that issue was identified and it will be now released as Hitmanpro 3.8.3 (Intercept X 2.0.23) in early September. Release team didn't provide the exact dates for the start of the general release of 3.8.3

    In the meantime, you can install the hotfix for 3.8.3 from https://support.sophos.com/support/s/article/KB-000038477

  • Thanks for the update.

    I appreciate that there is a hotfix but this not an attractive option if you have a lot of endpoints that need patching. Also, as stated in the patch, "it is not fully release tested and should be considered as a pre-release version for testing only" so it doesn't really make it suitable for wide-scale deployment. The very fact that you ran into an issue with the previous hotfix just confirms this.

  • any update on this? It's been 9 months now and every month I have to report to our directors that this hasn't been fixed. Doesn't give a good impression and they are questioning Sophos's attitude to security and whether we should change to a different product. It doesn't really matter how difficult it is to exploit, the fact it even exists shows sloppy programming and the fact you won't fix it in a timely manner reflects badly on Sophos.

  • Actually, that should be fixed by now. See: https://docs.sophos.com/releasenotes/output/en-us/esg/sesc_interceptx_rn.html

    The November release pushed out Intercept X 2.0.23, which includes the fix for this issue. 

    __________________________________________________________________________________________________________________

  • Thanks for pointing that out . None of our estates have received the update yet so we are still seeing the issue. I notice there is no mention of this issue in the release notes (that I could find) but hopefully that is just an oversight.

  • I sent a request to our Documentation team and the release notes https://docs.sophos.com/releasenotes/index.html?productGroupID=esg&productID=sesc_interceptx&versionID=allVersions were updated with the following: 

    WINEP-30725 HitmanPro.Alert Fixed unquoted path stored in registry (CVE-2021-25269).

    For endpoints the release will be completed by Nov 18. For servers by Dec 07.

  • More of a general question but is there any way to force a software update from Sophos Central or do we just have to wait until the rollout gets to us? I did try the 'Update' option on a client but it didn't seem to achieve that - does that just do pattern updates?

  • Sophos client checks for an update right after reboot (when the Autoupdate service re-starts) and every 60 minutes after that. Virus signature updates happen 3-4 times a day. Component updates happen weeks-months apart and are downloaded and installed by the endpoint client once they are available. Here is an article that talks more about updating https://support.sophos.com/support/s/article/KB-000042881?language=en_US

    You can force trigger an update from Central by pressing Update when looking at a specific endpoint or on the machine itself through the interface by pressing "update now".

    In your case you would also need to check if you are 

    1) using controlled updates (for servers and endpoints - in Global settings) - if yes, then you would need to make sure to press "update test group and then match the rest of the machines with the test group once the update is available)

    2) using Update schedule policy (you can find it among other policies) - eg. updating at a specific time of the day and specific day of the week. (eg. even if an update is available it will not be downloaded\installed until a specific day of the week\time that you may indicate in the policy). If the machine is off during that time - it works as a scheduled task and it will need to wait until the next occurrence of the event. 

    Hope that helps!

  • An excellent explanation but it isn't working for me.

    I was fairly sure we aren't using controlled updates or an update schedule but I checked them anyway.

    I did an 'Update Now' and it shows 'Update succeeded' in 'Recent Events' but I am still on Intercept X 2.0.22 with Hitman Pro 3.8.1

  • This is likely because you are not in the group of customers that are getting this release today. The release for endpoints will go from Nov 8 to 18 depending on groups of customers and other internal release logic. For servers everything will be completed by Dec 07. This means that your environment will get those updates available in that date range. 

    The article that I mentioned above https://support.sophos.com/support/s/article/KB-000042881 talks about it:

    "For Sophos Central, we release Endpoint and Server product updates at any time during the year. In addition, due to the dynamic nature of the product, these releases can change at any point and can differ between customers." 

    If it's critical for you to get that update asap, please raise a case with support, who can escalate it to GES team and move your account to get the update right away. Otherwise, if you do nothing, then you will be able to see your endpoints having that update by Nov 18. 

  • I did read the article but the wording is a bit ambiguous, it would be simpler if it just said that updates are rolled out over a period of x weeks (or something similar).

    This is much what I expected and is typical for these sorts of updates. It clearly doesn't make sense to build the infrastructure to update everybody on day 1 and then have it sitting idle. TBH I'm quite happy to not be among the first to get updated unless there is a 0 day vulnerability that needs addressing.

    In this case, I wanted to try it out, but it certainly isn't critical enough to raise a support case...I've waited this long already ;)

    This goes back to my original question, is it possible to force an update, and the short answer is no! That said, your replies have been very informative and I have gained some useful knowledge. Thanks for taking the time to explain everything.

  • how accurate are those dates you quoted (Nov 8 to 18)? We have five sites with Intercept X Advanced and none of the clients at those sites have updated to 2.0.23. We haven't made any changes to Controlled Updates.

Reply Children
No Data