WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
June 5, 2007
Symantec Reporting Server Elevation of Privilege

Revision History

Risk Impact

Remote AccessYes
Local AccessYes
Authentication RequiredNo
Exploit publicly availableNo

Files created by Reporting Server may be accessible to an unauthorized user.

Affected Products
ProductAffected VersionUpdated VersionSolution
Reporting Server Reporting SAV 10.1 MR6 build 6000 ( or later
SAV 10.1 MR6 build 6000 ( or later
Reporting Server is distributed with Symantec AntiVirus Corporate Edition 10.1 and later and Symantec Client Security 3.1 and later. The first publicly available version of Reporting Server was All builds of Reporting prior to the Updated version listed above are impacted by this vulnerability.

Unaffected Products
Norton product line all all

Symantec Reporting is an optional web application within the Symantec System Center console that can be used to create reports about Symantec Client Security and Symantec AntiVirus products in an enterprise network.

Symantec was notified that a file created in the process of exporting data from the Reporting Server could be potentially be manipulated by an unauthorized user to create a malicious executable file. An attacker could then execute the file, potentially gaining access to the server in the context of the web server user.

Symantec Response
Symantec engineers verified that the issue exists in Reporting Server included with the product versions listed in the table above. The error occurred due to the improper initialization of a variable, and updates have been released to correct the problem.

Reporting Server is an optional program distributed with Symantec AntiVirus Corporate Edition (SAV CE) 10.1 and later and Symantec Client Security (SCS) 3.1 and later. Reporting Server can be used to create reports about any version of SAV CE and SCS installed on client systems within an organization. This vulnerability affects only systems on which the Reporting Server program is installed. Individual client systems are not affected.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue. However, we recommend that customers update Reporting Server immediately to protect against possible attempts to exploit this issue.

Mitigation and best practices

  • Uninstall Reporting Server if it is not being used
  • Symantec Client Security Console (SCS Console) and Reporting Server interface should be restricted to trusted access only.
  • Ensure that the SCS Console and Reporting Server interface are never visible external to the network. This greatly reduces opportunities for unauthorized remote access.
  • User accounts for Reporting Server should be unique, and different from the userís network login account.
  • Delete exported data files which are no longer needed.

Applying the Updates
Reporting Server is an optional component of Symantec Client Security, and it can be updated (migrated) independently of the rest of the program. For more information, please see this knowledgebase document:

Migrating Reporting Server for Symantec Client Security 3.1 and Symantec AntiVirus 10.1

Symantec would like to thank Ertunga Arsal of Tech Data GmbH & Co. OHG for reporting this issue, and coordinating with us on the response.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-3021 to this issue

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

PDF Symantec Vulnerability Response Policy PGP Symantec Product Vulnerability Management PGP Key

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Initial Post on: Tuesday, 05-Jun-07 08:00:00
Last modified on: Monday, 18-Jun-2007 12:40:40 PDT