Revision History
Removed invalid CVE information
Added missing product information
Updated Symantec AntiVirus Corporate addition version information
Added information and link to new update tool for Symantec AntiVirus and Symantec Client Security
Updated Symantec Gateway Security version and update information
Risk Impact
High
| Remote Access | Yes |
| Local Access | No |
| Authentication Required | No |
| Exploit publicly available | No |
Overview
Two vulnerabilities have been identified in the Symantec Decomposer component used to decompose some types of archive content while scanning for malicious content.
Affected Enterprise Products
| Product | Version | Builds | Update To |
|
Symantec Mail Security
|
8200
|
All
|
5.0.0.24
|
|
Symantec Mail Security for Microsoft Exchange
|
4.6.7 and earlier
|
All
|
4.6.8.120
|
|
5.0.4.and earlier
|
All
|
5.0.5 and higher
|
|
6.0.0
|
All
|
6.0.1 or later
|
|
Symantec Mail Security for Domino NT
|
4.1.5 and earlier
|
All
|
4.1.9.37
|
|
5.1.2.28 and earlier
|
All
|
5.1.4.32
|
|
Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris)
|
3.0.12 and earlier
|
All
|
3.2.2.27 †
|
|
Symantec Scan Engine
|
5.0.1 and earlier
|
All
|
5.1.4.24
|
|
Symantec AntiVirus Scan Engine
|
4.1.8 and earlier
|
All
|
4.3.18.43
|
|
4.3.12 and earlier
|
All
|
4.3.17 or later
|
|
Symantec AntiVirus Scan Engine for MS ISA
|
4.3.12 and earlier
|
All
|
4.3.17 or later
|
|
Symantec AntiVirus Scan Engine for MS Sharepoint
|
4.3.12 and earlier
|
All
|
4.3.17 or later
|
|
Symantec AntiVirus Scan Engine for Messaging
|
4.3.12 and earlier
|
All
|
4.3.17 or later
|
|
Symantec AntiVirus for Network Attached Storage
|
4.3.12 and earlier
|
All
|
4.3.17 or later
|
|
Symantec AntiVirus Scan Engine for Clearswift
|
4.3.12 and earlier
|
All
|
4.3.17 or later
|
|
Symantec AntiVirus Scan Engine for Caching
|
4.3.12 and earlier
|
All
|
4.3.17 or later
|
|
Symantec Client Security †††
|
3.X
|
All
|
SCS 3.1 MR5 MP1 (build 3.1.5.5010)††
|
|
2.X
|
All
|
SCS 2.0 MR6-MP1 (build 2.0.6.1100)††
|
1.X
|
All
|
|
Symantec Web Security
|
3.0.1.76 and earlier
|
All
|
3.0.1.85
|
|
Symantec Gateway Security 1600 Series
|
3.0.1
|
All
|
Update F Apply Hotfix SGS1600-3.0.1-enga2007080100
|
|
Symantec Gateway Security 5000 Series
|
3.0.1
|
All
|
Update F Apply Hotfix SGS5000-3.0.1-enga2007080100
|
|
Symantec Gateway Security 5400 Series
|
2.0.1
|
All
|
Upgrade to 3.0.1 F Apply SGS5000-3.0.1-enga2007080100
|
|
Symantec Brightmail AntiSpam
|
6.0.x
|
All
|
6.05
|
|
5.5
|
All
|
4.x
|
All
|
|
Symantec AntiVirus Corporate Edition †††
|
10.X
|
All
|
SAV 10.1 MR5 MP1 (build 10.1.5.5010)††
|
|
9.X
|
All
|
SAV 9.0 MR6-MP1 (build 9.0.6.1100) ††
|
|
8.X
|
All
|
|
Symantec AntiVirus for Macintosh
|
10.X
|
All
|
Update to any definition after 10/1/2006
|
|
Symantec Web Security for Microsoft ISA 2004
|
5.0
|
All
|
5.0.3
|
|
Symantec Mail Security for SMTP
|
5.0.0 Solaris
|
All
|
Patch 175
|
|
5.0.0 Linux
|
All
|
Patch 175
|
|
5.0.0 Windows
|
All
|
Patch 176
|
|
5.0.1
|
All
|
Patch 181
|
|
4.1.15 and earlier
|
All
|
4.1.16
|
† Symantec AntiVirus/Filtering for Domino MPE is no longer supported. Customers are encouraged to upgrade to Symantec Mail Security for Domino MPE
†† Customers using the SAV CE Linux client should upgrade to version 1.0.2-75. This build is available by downloading the latest SAV CE 10.X or SCS 3.X build from FileConnect.
†††Symantec has released a tool that will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security
For more information and to download the tool, please read the following
document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071111591448
Affected Consumer Products
| Product | Version | Builds | Update To |
|
Norton AntiVirus
|
2006
|
All
|
Run LiveUpdate in Interactive Mode
|
|
2005
|
All
|
Run LiveUpdate in Interactive Mode
|
|
2004
|
All
|
Run LiveUpdate in Interactive Mode
|
|
Norton Internet Security
|
2006
|
All
|
Run LiveUpdate in Interactive Mode
|
|
2005.5 AntiSpyware Edition
|
All
|
Run LiveUpdate in Interactive Mode
|
|
2005
|
All
|
Run LiveUpdate in Interactive Mode
|
|
2004
|
All
|
Run LiveUpdate in Interactive Mode
|
|
Norton SystemWorks
|
2006
|
All
|
Run LiveUpdate in Interactive Mode
|
|
2005
|
All
|
Run LiveUpdate in Interactive Mode
|
|
2004
|
All
|
Run LiveUpdate in Interactive Mode
|
|
Norton Personal Firewall
|
2006
|
All
|
Run LiveUpdate in Interactive Mode
|
|
Norton AntiVirus for Macintosh
|
10.X
|
All
|
Update to any definition after 10/1/2006
|
|
9.X
|
All
|
|
Norton Internet Security for Macintosh
|
3.X
|
All
|
Update to any definition after 10/1/2006
|
|
Norton SystemWorks for Macintosh
|
3.X
|
All
|
Update to any definition after 10/1/2006
|
Products Not Affected:
| Product | Version | Builds |
|
Symantec AntiVirus for HandHelds - Corporate Edition
|
All
|
All
|
|
Symantec AntiVirus for Handhelds
|
All
|
All
|
|
Symantec Client Security for Nokia
|
All
|
All
|
|
Symantec Enterprise Firewall
|
8.0
|
All
|
|
Symantec Clientless VPN Gateway 4400 Series
|
5.0
|
All
|
|
Symantec Firewall / VPN Appliance
|
100/200
|
All
|
|
Symantec Gateway Security 300/400 Series
|
2.0
|
All
|
|
Norton AntiVirus for Macintosh
|
7.X
|
All
|
|
Norton AntiVirus for Macintosh
|
8.X
|
All
|
|
Norton Internet Security for Macintosh
|
2.X
|
All
|
|
Norton SystemWorks for Macintosh
|
2.X
|
All
|
|
Norton360
|
All
|
All
|
|
Symantec AntiVirus Corporate Edition
|
10.2
|
All
|
|
Norton AntiVirus
|
2007
|
All
|
|
Norton Internet Security
|
2007
|
All
|
|
Norton System works
|
2007
|
All
|
Details
The first vulnerability is related to the decomposition of RAR files. Modifying the RAR file header in a specific way, causes the decomposer to enter an infinite loop causing a Denial of Service.
The second vulnerability is related to the decomposition of CAB files. The Symantec Decomposer fails to perform proper bounds checks when copying from the CAB archive. This may result in the possibility of arbitary code execution on the vulnerable system.
NOTE:
- Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.
Symantec response
Symantec engineers have verified and corrected these issues in all currently supported products.
Updates are available for supported products. Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.
Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.
Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of (product/component). However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:
- Open any installed Norton product
- Click on LiveUpdate in the GUI
To perform a manual update using Symantec LiveUpdate, users should:
- Open any installed Symantec product
- Click on LiveUpdate in the toolbar
- Run LiveUpdate until all available Symantec product updates are downloaded and installed
To date, Symantec is not aware of any exploits for these issues.
Best Practices
As part of normal best practices, Symantec strongly recommends:
- Restrict access to administration or management systems to privileged users.
- Restrict remote access, if required, to trusted/authorized systems only.
- Run under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-3699 for the RAR issue and CVE-2007-0447 for the CAB file issue.
Credit
Symantec would like to thank 3COM, and the Zero Day Initiative for reporting these issues and providing full coordination while Symantec resolved them.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Initial Post on: Wednesday, 11-Jul-07 7:00:00
Last modified on: Thursday, 23-Aug-07 23:13:09
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key