WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
SYM05-027
December 21, 2005
Symantec AntiVirus Decomposition Buffer Overflow

Revision History
12/22/05 - Updated product matrix, Additional mitigations
12/28/05 - Additional product updates, Refined mitigation
12/30/05 - Additional product updates
01/03/06 - Additional product updates
01/05/06 - Additional product updates
01/12/06 - Additional product updates
01/18/06 - Additional product updates
01/24/06 - Additional product updates
01/27/06 - Additional product updates

Risk Impact
High

Remote AccessYes
Local AccessNo
Authentication RequiredNo
Exploit publicly availableNo

Overview

Symantec is aware of a buffer overflow in its AntiVirus component used to decompose RAR (Roshal Archive). A specially crafted RAR file could potentially cause this buffer overflow to occur and possibly execute hostile content from the RAR file on the targeted system.

Vulnerable Products

  1. As Symantec continues to investigate this issue, the list of affected products may be updated.

  2. Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.

  3. Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.

  4. Some product updates are available via Symantec LiveUpdate. Users will need to perform a manual LiveUpdate to receive and install these product updates.

    To perform a manual update using Symantec LiveUpdate, users should:

    • Open any installed Symantec product

    • Click on LiveUpdate in the toolbar

    • Run LiveUpdate until all available Symantec product updates are downloaded and installed

  5. Product updates will initially be available for the English language versions. Localized versions of the update will be available as soon as fully tested. Please check for localized updates at your normal product support location.

To date, Symantec has not had any reports of attempts to exploit or customers impacted by this vulnerability.

Affected Enterprise Products

Products

Versions

Builds

Update To

Norton AntiVirus for Microsoft Exchange

2.18 and earlier

All

SMSMSE 4.6.4.110

Symantec AntiVirus/Filtering for Microsoft Exchange

4.0.10.465 and earlier

All

SMSMSE 4.6.4.110

Symantec Mail Security

8200

All

4.1.2-17

Symantec Mail Security for Microsoft Exchange

4.5.4 and earlier

All

4.6.4.110

4.6.3 and earlier

All

4.6.4.110

5.0.0.204

All

5.0.1.208

Symantec Mail Security for Domino NT

4.0.3 and earlier

All

4.1.5.30

4.1.4 and earlier

All

4.1.5.30

5.0.0.47

All

5.0.1.49

Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris)

3.0.11 and earlier

All

3.0.12.25

Symantec Scan Engine

5.0.1 and earlier

All

5.0.2.32

Symantec AntiVirus Scan Engine

4.1.8 and earlier

All

4.1.9.30

4.3.12 and earlier

All

4.3.13.36

Symantec AntiVirus Scan Engine for MS ISA

4.3.12 and earlier

All

4.3.13.36

Symantec AntiVirus Scan Engine for MS Sharepoint

4.3.12 and earlier

All

4.3.13.36

Symantec AntiVirus Scan Engine for Messaging

4.3.12 and earlier

All

4.3.13.36

Symantec AntiVirus for Network Attached Storage

4.3.12 and earlier

All

4.3.13.36

Symantec AntiVirus Scan Engine for Clearswift

4.3.12 and earlier

All

4.3.13.36

Symantec AntiVirus Scan Engine for Caching

4.3.12 and earlier

All

4.3.13.36

Symantec AntiVirus for SMTP

3.1.7 and earlier

All

SMSSMTP 4.1.11.41

Symantec Mail Security for SMTP

4.1.9 and earlier

All

4.1.11.41

Symantec Client Security

3.X

All

3.0.2.2001
(MR2 PP1)

3.0.2 MP1

Symantec Web Security

3.0.1 and earlier

All

3.0.1.76

Symantec Gateway Security 5000 Series

3.0

All

SGS3.0-20051222-00

Symantec Gateway Security 5400 Series

2.0

All

SGS2.0.1-20051222-00

Symantec Gateway Security

1.0

All

SG7004-20051222-00

Symantec Brightmail AntiSpam

6.0

All

6.0.3 (patch 164)

5.5

All

Upgrade to 6.0.3 (patch 164)

4.0

All

4.0.9

Symantec AntiVirus Corporate Edition

10.X

All

10.0.2.2001
(MR2 PP1)

10.0.2 MP1

Symantec AntiVirus for Macintosh

10.X

All

Macintosh virus definitions dated January 4, 2006 or later

Affected Consumer Products

Products

Versions

Builds

Update to

Norton AntiVirus

2006

All

Common Client 2005-1.0.4 (via Live Update)

2005

All

Common Client 3.0.6 (via Live Update)

2004

All

Common Client 2.1.9 (via Live Update)

Norton Internet Security Professional

2006

All

Common Client 2005-1.0.4 (via Live Update)

2005 AntiSpyware Edition

All

Common Client 3.5.7 (via Live Update)

2005

All

Common Client 3.0.6 (via Live Update)

2004

All

Common Client 2.1.9 (via LiveUpdate)

Norton SystemWorks

2006

All

Common Client 2005-1.0.4 (via LiveUpdate)

2005

All

Common Client 3.0.6 (via LiveUpdate)

2004

All

Common Client 2.1.9 (via LiveUpdate)

Norton Personal Firewall

2006

All

Common Client 2005-1.0.4 (via LiveUpdate)

2005

All

Common Client 3.0.6 (via LiveUpdate)

2004

All

Common Client 2.1.9 (via LiveUpdate)

Norton AntiVirus for Macintosh

10.X

All

Macintosh virus definitions dated January 4, 2006 or later

Norton AntiVirus for Macintosh

9.X

All

Macintosh virus definitions dated January 4, 2006 or later

Norton Internet Security for Macintosh

3.X

All

Macintosh virus definitions dated January 4, 2006 or later

Norton SystemWorks for Macintosh

3.X

All

Macintosh virus definitions dated January 4, 2006 or later

Products Not Affected

Products

Versions

Builds

Symantec Antivirus Corporate Edition

9.X - all versions

All

8.X - all versions

All

Symantec Client Security

2.X

All

1.X

All

Symantec Enterprise Firewall

8.0

All

Symantec Clientless VPN Gateway 4400 Series

5.0

All

Symantec Firewall / VPN Appliance

100/200

All

Symantec Gateway Security 300/400 Series

2.0

All

Norton AntiVirus for Macintosh

7.X

All

Norton AntiVirus for Macintosh

8.X

All

Norton Internet Security for Macintosh

2.X

All

Symantec AntiVirus for HandHelds - Corporate Edition

All

All

Symantec AntiVirus for Handhelds

All

All

Symantec Client Security for Nokia

 

All

Symantec Response
Symantec is currently building, testing and distributing product updates for all supported affected products.

Mitigations
Symantec Security Response posted an antivirus based protection signature to LiveUpdate on December 20, 2005, providing a heuristic detection for potential exploits of the Symantec decomposer RAR archive vulnerability. This signature is available though LiveUpdate, to all desktop, server and gateway product versions of Symantec's Security products and appliance solutions that contain the decomposer RAR archive. Symantec strongly recommends that customers immediately ensure their products are up-to-date to protect against possible threats.

Customers may also mitigate the risk to the antivirus component by disabling scanning of RAR compressed files until the vulnerable code is fixed. However, it is important to note that disabling RAR scanning may allow RAR files containing viruses through the security gateway.

Instructions to disable scanning of RAR compressed files for Symantec gateway products can be found at: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005122213230354

To Disable scanning of RAR files in Auto-Protect for Norton AntiVirus 9 and Norton AntiVirus 10:

  1. Open the System Preferences
  2. Select the Norton Auto-Protect preference pane
  3. Set 'Scan Compressed Files' to 'Off'
  4. Close the System Preferences
This will disable the use of the Decomposer Engine when Auto-Protect is scanning files.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE-2005-4438 to this issue.

Credit
Symantec thanks Alex Wheeler for providing coordination and working with Symantec to resolve this issue.


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key


Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Initial Post on: Wednesday, 21-Dec-05 22:00:00
Last modified on: Friday, 27-Jan-06 20:56:35