Revision History
None
Severity
Medium
| Remote | No |
| Local | Yes |
| Authentication Required | Yes |
| Exploit publicly available | Yes |
Overview
Symantec was notified of a vulnerability in two device drivers which, if successfully exploited, could allow a local attacker to execute arbitrary code with kernel level privileges.
Affected Products
| Product | Platform | Version | Solution |
| Norton AntiVirus | Windows 32/64 | all | Update virus definitions to October 4, 2006 revision 9 or later |
| Norton Internet Security | Windows 32/64 | all |
| Norton System Works | Windows 32/64 | all |
| Symantec AntiVirus Corporate Edition | Windows 32/64 | all |
| Symantec AntiVirus for Blue Coat Security | Windows 32/64 | all |
| Symantec AntiVirus for CacheFlow Security Gateway | Windows 32/64 | all |
| Symantec AntiVirus for Clearswift MIME Sweeper | Windows 32/64 | all |
| Symantec AntiVirus for Inktomi Traffic Edge | Windows 32/64 | all |
| Symantec AntiVirus for Microsoft ISA Server | Windows 32/64 | all |
| Symantec AntiVirus for NetApp Filer/NetCache | Windows 32/64 | all |
| Symantec BrightMail AntiSpam | Windows 32/64 | all |
| Symantec Client Security | Windows 32/64 | all |
| Symantec Mail Security for Domino | Windows 32/64 | all |
| Symantec Mail Security for Exchange | Windows 32/64 | all |
| Symantec Mail Security for SMTP | Windows 32/64 | all |
| Symantec Scan Engine | Windows 32/64 | all |
| Symantec Web Security for Windows | Windows 32/64 | all |
Note:
This issue affects the Symantec and Norton anti-virus products running on the following operating systems: Windows NT, Windows 2000, Windows XP. No other operating systems or product lines product lines are impacted.
Unaffected Products
| Product | Platform | Version |
| Norton AntiVirus | Macintosh | all |
| Norton AntiVirus | Windows 95/98/ME | all |
| Norton Internet Security | Macintosh | all |
| Norton Internet Security | Windows 95/98/ME | all |
| Norton System Works | Windows 95/98/ME | all |
| Symantec AntiVirus Corporate Edition | Windows 98 | all |
| Symantec AntiVirus for Blue Coat Security | Linux, Solaris | all |
| Symantec AntiVirus for CacheFlow Security Gateway | Unix | all |
| Symantec AntiVirus for Clearswift MIME Sweeper | Solaris, Linux | all |
| Symantec AntiVirus for Handhelds | All | all |
| Symantec AntiVirus for Linux | Linux | all |
| Symantec AntiVirus for Microsoft ISA server | Linux, Solaris | all |
| Symantec AntiVirus Scan Engine | Linux, Solaris | all |
| Symantec BrightMail AntiSpam | Linux, Solaris | all |
| Symantec Client Security | Windows 98 | all |
| Symantec Client Security | Netware | all |
| Symantec Mail Security for Domino | AIX, Solaris, Linux | all |
| Symantec Mail Security for SMTP | Linux, Solaris | all |
| Symantec Mail Security for SMTP | Linux, Solaris | all |
| Symantec Mobile Security for Symbian | Symbian | all |
| Symantec Scan Engine | Linux, Unix, Solaris/td> | all |
| Symantec Web Security | Solaris | all |
Details
IDefense notified Symantec of a vulnerability in NAVEX15.SYS and NAVENG.SYS, two device drivers which are part of Symantec’s anti-virus engine. A specially crafted IRP could be sent to the IOCTL handler function which could allow memory to be overwritten because the address space was not properly validated. A successful exploit could potentially allow a local attacker to execute code of their choice with kernel level privileges.
Symantec Response
Symantec engineers verified that the vulnerability exists in NAVEX15.SYS and NAVENG.SYS, and have released solutions for the problem. The solution is available in NAVEX15.SYS and NAVENG.SYS version 20061.3.0.12 and later. To obtain the update, users should update their virus definitions to October 4, 2006 revision 9 or later.
Norton AntiVirus product users can obtain this update by running LiveUpdate, or downloading and running the Intelligent Updater. Enterprise customers can run LiveUpdate, or follow their standard corporate process for updating virus definitions.
Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.
Best Practice
As part of normal best practices, Symantec recommends a multi-layered approach to security:
- Run under the principle of least privilege where possible.
- Keep all operating systems and applications updated with the latest vendor patches.
- Run a personal firewall and an antivirus application with current updates to provide multiple points of detection and protection from inbound and outbound threats.
- Be cautious of attachments and executables delivered via email and be cautious of browsing unknown/untrusted websites or opening unknown/untrusted URL links.
- Do not open unidentified attachments or executables from unknown sources or that you didn't request or were unaware of.
- Always err on the side of caution. Even if the sender is known, the source address may be spoofed.
- If in doubt, contact the sender to confirm they sent it and why before opening the attachment. If still in doubt, delete the attachment without opening it.
Credit
Symantec would like to acknowledge Ruben Santamarta (www.reversemode.com), in working with the iDefense Vulnerability Contributor Program (http://www.idefense.com/), for reporting this issue & validating the solution.
CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2006-4927 to this issue
Symantec takes the security and proper functionality of its products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact secure@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product. A Symantec Product Security team member will contact you regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document outlining the process we follow in addressing suspected vulnerabilities in our products. We support responsible disclosure of all vulnerability information in a timely manner to protect Symantec customers and the security of the Internet as a result of vulnerability. This document is available from the location provided below.
Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be obtained from the location provided below.
Copyright (c) 2008 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Initial Post on: Thursday, 05-Oct-06 09:40:00
Last modified on: Wednesday, 14-May-08 22:47:27
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key