GuardianEdge, or Symantec Endpoint Encryption full disk as it’s called, is a full disk encryption management platform.  It provides protection against things such as cold-boot attacks and blanking local Windows passwords.  The product itself works on both Windows and Mac OS computers.  It’s used by hundreds of organizations and government agencies.  Overall, it’s a good product that does what it’s supposed to do and is market leader – which is probably why Symantec “acquired” them.

Where I work, we use this product for full disk encryption and I manage it on a day-to-day basis.  That said I found what I’d like to consider a back-door to decrypting the drives that would be normally encrypted by this product without having to provide the GuardianEdge management credentials.  I should note that I did indeed submit this to CERT and they in turn submitted this to the vendor.  Neither are accepting this as a vulnerability because it requires local Administrator privileges on the computer to do, but as we all know it can be quite easy to escalate your privileges to the SYSTEM account in Windows XP/Vista & Windows 7.  That said, I still disagree with CERT’s and Symantec’s decision and I’m going to go ahead and post my findings.

You can find this response below:

So without further ado, here’s my findings.

I’ve discovered vulnerability in the GuardianEdge Full Disk Encryption/Symantec Endpoint Encryption.

I’ve tested in all versions up to 9.5.1 of GuardianEdge and up to version 8.0.0 of Symantec Endpoint Encryption

I’ve tested on Windows XP SP3 and Windows 7 SP1.  I believe it to exists on all versions that the product operates on.

If a user has local Administrator access to a PC that has GuardianEdge FDE/Symantec SEE installed, and the drive is encrypted, they are able to decrypt all partitions without providing the product’s Administrator credentials, by changing the value of a single registry key.  If a user doesn’t have local Administrator access on the computer where it is installed, the Windows Registry Editor can be launched via an interactive scheduled task running as the SYSTEM account; as well.

The registry key location is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Hard Disk\Initial Computer Data\DoDecryption (type is REG_DWORD).  The default hexadecimal/decimal value is 0×00000000 (0).  By changing this default value to 0×00000001 (1) and restarting the computer, the disk will begin to decrypt all encrypted partitions after a short period of time. 

As mentioned before, if the user doesn’t have local Administrator access (only applicable on Windows XP as Windows 7 disables the /interactive functionality), a user can open the command window to launch regedt32.exe interactively as the SYSTEM account and then make the change to the above registry key and restart the computer.  Again, after a short period of time, the hard drive will begin to decrypt itself. 

I notified numerous support technicians slightly over a year ago, but they didn’t seem concerned.  While this may be a support feature for them, it provides a backdoor for even a non-technical savvy user or malicious individual to bypass disk encryption.

Images are below:

Before Registry Entry Is Changed

So yes, while it does require local Administrative access on a PC, this is still a backdoor in my eyes – put in by GuardianEdge and accepted by Symantec as a “feature”.   Enjoy!