VIPRE Security has released a security advisory related to a newly-discovered weakness in VIPRE Endpoint Security Server, VIPRE Business Premium, and VIPRE Antivirus Business. The weakness could, for some specific site configurations, allow an attacker internal to your network to leverage the auto-install service within these products to access other sensitive systems and data in your environment.
As a workaround, disable the auto-install and auto-discovery services within your on-premise VIPRE environment with the following steps:
1. Log in to your VIPRE Site Server.
2. Go to the Site Properties section.
3. Navigate to Unprotected Computer Discovery section in the left-hand nav.
4. Ensure that the Authenticate with unprotected computers using saved credentials option is UNCHECKED; this will allow VIPRE to scan the network for new devices, but will prevent VIPRE from attempting to scan those devices for the presence of a VIPRE agent.
5. Navigate to the Agent Installation section in the left-hand nav.
6. Ensure the Enable automatic agent installation option is UNCHECKED; this will prevent VIPRE from attempting to install the VIPRE agent automatically on newly-detected endpoints.
Note that after taking this action, new devices added to your network will not get VIPRE agents automatically installed on them – you will have to deploy new agents via other means. We will be releasing updates to VIPRE in the future that will restore this capability in a safe manner.
This issue was responsibly disclosed to us by an independent researcher; full details will be published after the appropriate embargo period. Check back here later for more information.
The post VIPRE Releases Security Advisory on Auto-install Weakness appeared first on VIPRE.