Carnegie Mellon University
July 05, 2016

Significant: Symantec Products SYM16-008, SYM16-010 and Symantec Endpoint Protection Phaseout

Critical security flaws have been discovered in the core components shared by nearly all of Symantec's enterprise and consumer anti-virus products. These security flaws can be exploited without user interaction when files are automatically scanned (e.g. on email receipt, web visit, file upload, etc...) Though no attacks have been reported, wormable malware exploits are highly likely.

Although Symantec has released security updates to fix these vulnerabilities, Computing Services has decided to accelerate our Symantec Endpoint Protection (SEP) phaseout plans. We will be recommending that users uninstall SEP and replace it with alternate anti-virus software. 

PLATFORMS AFFECTED:
Symantec Endpoint Protection (SEP for Windows) 12.1.6 MP4 and prior
Symantec Endpoint Protection for Mac (SEP for Mac) 12.1.6 MP4 and prior
Norton AntiVirus prior to NGC 22.7
Norton Security prior to NGC 22.7
Norton Security with Backup prior to NGC 22.7
Norton Internet Security prior to NGC 22.7
Norton 360 prior to NGC 22.7
* Additional Symantec enterprise products, see Symantec SYM16-008 & SYM16-010

SEVERITY:
Significant

IMPACT:
Remote Code Execution

CVE ASSIGNMENT:
CVE-2016-2207 (SYM16-010)
CVE-2016-2208 (SYM16-008)
CVE-2016-2209 (SYM16-010)
CVE-2016-2210 (SYM16-010)
CVE-2016-2211 (SYM16-010)
CVE-2016-3644 (SYM16-010)
CVE-2016-3645 (SYM16-010)
CVE-2016-3646 (SYM16-010)


DETAILS:

Google's Project Zero security research team found 8 critical vulnerabilities in the Symantec Antivirus Engine and Symantec Decomposer Engine which are the core components used by nearly all of their enterprise and consumer anti-virus products.

According to the Google blog post, "these vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

Because the anti-virus engine will scan files automatically (e.g. on email receipt, web visit or file upload, etc...), exploits for these flaws are likely to result in wormable malware. Symantec has said there have been no reported attacks exploiting these flaws yet.

The Google researchers found that Symantec derived some of their decompression and unpacking code from open source libraries (e.g. libmspack and unrarsrc), but had not updated their derived libraries in 7 years. The open source libraries had been updated multiple times to fix many security flaws - some with published exploit code readily available.  But Symantec's engine code is exploitable up until the latest security patches are installed.

The Antivirus Engine flaw (SYM16-008) was publicly disclosed in late May and was patched in all affected Symantec products via Symantec LiveUpdate. However, the 7 critical Decomposer Engine flaws (SYM16-010) are not as easy to patch. Most of the Symantec enterprise products including SEP for Windows cannot be updated by LiveUpdate. Patching SEP for Windows requires running the full installer for 12.1.6 MP5. The SEP for Mac patch will be installed via LiveUpdate. The Symantec consumer products in the Norton family will be patched via LiveUpdate.


REMEDIATION:

Computing Services had previously announced that as of July 1, 2016 students should discontinue using the CMU provided Symantec Endpoint Protection (SEP, see Computing Services News: "Updated Virus Protection Recommendation for Students" on 6/22. Link no longer active.)

Systems managed by Executive IT, Desktop Support Program (DSP), Software Engineering Institute, Electrical & Computer Engineering and the Foundation Service (administered by departmental IT in partnership with Computing Services) have previously been migrated to non-Symantec anti-virus.  In some cases they have been running Microsoft System Center Endpoint Protection (MS SCEP) managed by Microsoft System Center Configuration Manager (MS SCCM) for nearly two years.

Instead of patching SEP for Windows, we are now accelerating our plans to phaseout the CMU provided SEP for remaining faculty and staff following this timeline:

Tuesday, 2016-07-05:
a) The installer for the standalone Microsoft System Center Endpoint Protection (MS SCEP) for Mac will be published to the Computing Services Software web site for faculty & staff to download for use on University owned equipment.

b) Updates to the Secure Your Computer guides will be published to recommend that:

- Users of DSP or departmentally managed systems
 Consult your departmental IT for recommended endpoint protection software

- Self managed users using University owned equipment
 1) Uninstall SEP
   Windows: Uninstall using Programs and Features control panel.
   Mac: Download and run uninstaller from Computing Services Software site.
 2) Install or enable an alternative
   Windows 8+: Enable the built-in Windows Defender
   Windows 7: Install Microsoft Security Essentials (free) downloaded from Microsoft directly
   Mac: Install the CMU provided MS SCEP downloaded from the Computing Services Software site

- Self managed users with personally owned equipment
 1) Uninstall SEP
   Windows: Uninstall using Programs and Features control panel.
   Mac: Download and run uninstaller from Computing Services Software site.
 2) Install or enable and alternative
   Windows 8+: Enable the built-in Windows Defender
   Windows 7: Install Microsoft Security Essentials (free) downloaded from Microsoft directly
   Mac: Install Sophos Home (free) downloaded from Sophos directly

c) The SEP installers will be unpublished from the Computing Services Software web site. Departmental admins needing access to the latest SEP installers (should your department prefer to patch SEP for the time being) should send email to it-help@cmu.edu to request access to the files in CMU Box.

d) The Symantec Cleanwipe tool for forcefully uninstalling broken SEP for Windows installations will be made available upon request via CMU Box. Departmental admins and end users needing access to the tool should send email to it-help@cmu.edu.


TBD:
A final deadline for completely phasing out the SEP license will be announced in the coming weeks as we consult with departments on their progress with switching users to the recommended alternatives. Our preference is to schedule this date to be as early as possible.


VENDOR ADVISORY:
SYM16-008
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160516_00

SYM16-010
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00

MORE INFORMATION:
Google Project Zero: How to Compromise the Enterprise Endpoint
https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html?m=1

US CERT TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
https://www.us-cert.gov/ncas/alerts/TA16-187A

Microsoft Security Essentials for Windows 7
https://support.microsoft.com/en-us/help/14210/security-essentials-download

Sophos Home
https://www.sophos.com/home

Uninstaller for SEP for Mac
http://www.cmu.edu/computing/software/all/symantec/index.html

Computing Services SCEP download page:
http://www.cmu.edu/computing/software/all/scep/index.html