__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Symantec Decomposer Vulnerabilities [SYM08-006] February 27, 2008 19:00 GMT Number S-206 ______________________________________________________________________________ PROBLEM: Two Denial of Service (DoS) vulnerabilities have been identified impacting a older version of the Symantec Decomposer used to parse some types of archive content while scanning for malicious content in some of Symantec's legacy product versions. PLATFORM: Symantec AntiVirus for Network Attached Storage 4.3.16.39 & earlier Symantec AntiVirus Scan Engine 4.3.16.39 and earlier Symantec AntiVirus Scan Engine for Caching 4.3.16.39 & earlier Symantec AntiVirus Scan Engine for Clearswift 4.3.16.39 & earlier Symantec AntiVirus Scan Engine for Messaging 4.3.16.39 & earlier Symantec AntiVirus Scan Engine for MS ISA 4.3.16.39 & earlier Symantec AntiVirus Scan Engine for MS SharePoint 4.3.16.39 & earlier Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) Symantec Mail Security for Microsoft Exchange 4.6.5.12 and earlier 5.0.4.363.and earlier Symantec Scan Engine 5.1.4.24 and earlier DAMAGE: Remote code execution. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The first issue is triggered when it ASSESSMENT: receives malicious content. If sufficiently malformed, this could possibly cause large amounts of memory to be consumed which could result in a Denial of Service. The second issue is a buffer overflow that can cause the decomposer to crash causing a Denial of Servcie condition and the potential for remote code execution. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-206.shtml ORIGINAL BULLETIN: http://www.symantec.com/avcenter/security/Content/2008.02.27.html ADDITIONAL LINK: http://www.securityfocus.com/bid/27913/discuss CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-0308 CVE-2008-0309 ______________________________________________________________________________ [***** Start SYM08-006 *****] SYM08-006 26 February, 2008 Symantec Decomposer: Multiple Denial of Service Vulnerabilities Revision History Added CVE information Severity Medium Remote Access Yes Local Access No Authentication Required No Exploit publicly available No Overview Two Denial of Service (DoS) vulnerabilities have been identified impacting a older version of the Symantec Decomposer used to parse some types of archive content while scanning for malicious content in some of Symantec’s legacy product versions. Products Affected Products Versions Builds Update To Symantec AntiVirus for Network Attached Storage 4.3.16.39 & earlier All 4.3.18.43 Symantec AntiVirus Scan Engine 4.3.16.39 and earlier All 4.3.18.43 Symantec AntiVirus Scan Engine for Caching 4.3.16.39 & earlier All 4.3.18.43 Symantec AntiVirus Scan Engine for Clearswift 4.3.16.39 & earlier All 4.3.18.43 Symantec AntiVirus Scan Engine for Messaging 4.3.16.39 & earlier All 4.3.18.43 Symantec AntiVirus Scan Engine for MS ISA 4.3.16.39 & earlier All 4.3.18.43 Symantec AntiVirus Scan Engine for MS SharePoint 4.3.16.39 & earlier All 4.3.18.43 Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) All All 3.2.2 Symantec Mail Security for Microsoft Exchange 4.6.5.12 and earlier All 4.6.8.120 5.0.4.363.and earlier All 5.0.6.368 Symantec Scan Engine 5.1.4.24 and earlier All 5.1.6.31 Products Not Affected Products Versions Builds Norton AntiVirus All All Norton AntiVirus for Macintosh All All Norton Personal Firewall All All Norton System Works All All Norton360 All All Norton Internet Security All All Symantec AntiVirus Corporate Edition All All Symantec AntiVirus for Handhelds All All Symantec AntiVirus for HandHelds - Corporate Edition All All Symantec AntiVirus for Macintosh All All Symantec Brightmail AntiSpam All All Symantec Client Security All All Symantec Client Security for Nokia All All Symantec Clientless VPN Gateway 4400 Series All All Symantec Endpoint Protection All All Symantec Enterprise Firewall All All Symantec Firewall / VPN Appliance 100/200 All Symantec Gateway Security All All Symantec Gateway Security 300/400 Series 2.0 All Symantec Gateway Security 5000 Series 3.0.1 All Symantec Gateway Security 5400 Series 2.0.1 All Symantec Internet Security for Macintosh All All Symantec Mail Security for Domino NT All All Symantec Mail Security for Microsoft Exchange 6.0.X All Symantec Mail Security for SMTP All All Symantec System Works for Macintosh All All Symantec Web Security All All Symantec Web Security for Microsoft ISA 2004 All All Note: Only currently supported Symantec Products are being updated. Customers using unsupported versions are encouraged to upgrade to a supported version. Details Two DoS vulnerabilities were identified in an earlier versions of Symantec’s Decomposer engine. The first issue is triggered when it receives malicious content. If sufficiently malformed, this could possibly cause large amounts of memory to be consumed which could result in a Denial of Service. The second issue is a buffer overflow that can cause the decomposer to crash causing a Denial of Service condition and the potential for remote code execution. Symantec Response Symantec engineers have verified and corrected these issues in affected versions of supported products. Updates are available for affected products. Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature. Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue. Product updates are available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available. Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of (product/component). However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows: To perform a manual update using Symantec LiveUpdate, users should: Open any installed Symantec product Click on LiveUpdate in the toolbar Run LiveUpdate until all available Symantec product updates are downloaded and installed Best Practices As part of normal best practices, Symantec strongly recommends: Restrict access to administration or management systems to privileged users. Restrict remote access, if required, to trusted/authorized systems only. Run under the principle of least privilege where possible to limit the impact of exploit by threats such as this. Keep all operating systems and applications updated with the latest vendor patches. Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities Reference SecurityFocus, http://www.securityfocus.com, has assigned Bugtraq IDs(BID) to this issue for inclusion in the SecurityFocus vulnerability data base. The BIDs assigned are 27911 and 27913 which can be found at http://www.securityfocus.com/bid/27911 and http://www.securityfocus.com/bid/27913 CVE This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2008-0308 and CVE-2008-0309 for these issues. Credit Symantec would like to thank iDefense for reporting these issues and providing full coordination while Symantec resolved them. [***** End SYM08-006 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Symantec for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-197: VMWare Products Shared Folders "MultiByteToWideChar()' Variant Vulnerability S-198: OpenCA Vulnerability S-199: OpenLDAP Vulnerability S-196: Cups Security Update S-200: splitvt Vulnerability S-201: PCRE3 Vulnerability S-202: Cups Security Update S-203: Alsa-Drive Vulnerability S-204: OPera Web Browser Vulnerabilities S-205: PHP-Nuke EasyContent Module 'page_id' Parameter Vulnerability