Summary
Faronics is aware that mitigations for CVE-2013-3900 can cause problems with our Deep Freeze Cloud and Faronics Deploy agents and we recommend not deploying those mitigations until you have updated all agents to the latest releases.
Overview
We have been made aware of recent guidance online indicating that customers should be enabling security measures to protect against an older security vulnerability in versions of Windows related to Authenticode signature validation (CVE-2013-3900).
https://nvd.nist.gov/vuln/detail/CVE-2013-3900
The changes that are implemented as part of the recommendations have an impact on the ability of the Faronics Cloud Agent and Faronics Deploy Agents to communicate with our cloud services and properly manage devices. In cases where the mitigations are implemented, this can present as a loss of control of the remote device from our platform.
Faronics Deploy
The latest release of the Faronics Deploy Agent incorporates fixes to this issue. Customers should ensure that they have updated their Deploy Agents to at least version 1.30.x.273 or later prior to implementation of the meditations for this issue.
This version is currently available to all customers. The status of your Deploy Agents can be viewed on the Deploy Diagnostics page of the Deploy Console by clicking on Analytics → Deploy Diagnostics.
Deep Freeze Cloud
Customers running Deep Freeze Cloud will need to ensure that they have access to the 2.22 release of that Deep Freeze Cloud Agent prior to implementing the mitigations to address the issues in Autenticode signature validation.
This release is currently in limited release, if you require access please open a ticket with the Faronics Support team asking for access to the 2.22 release to be provisioned for your account.
You can verify versions of the Cloud Agent installed on your devices by browsing the computers page, clicking on the column chooser, and dragging the Agent Version into the data grid as shown below;
You can check the status of the implementation of these mitigations by looking in the system registry at the following registry keys. Systems configured as shown below will be configured with the mitigations active.
32-bit versions of Windows
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
64-bit versions of Windows
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1"
Details on this issue can be found on Microsoft’s site linked below;
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
If you are currently encountering issues please feel free to contact the Faronics Support team and we will be happy to assist further.
Adam Zilliax
Comments