Date: 29 April 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0036 -- AUSCERT ALERT
[Win][Netware][Linux]
Symantec Alert Management System 2: Administrator Compromise
29 April 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Symantec AntiVirus Corporate Edition 9.0 MR6 and
earlier
Symantec AntiVirus Corporate Edition 10.0 all versions
Symantec AntiVirus Corporate Edition 10.1 MR7 and
earlier
Symantec AntiVirus Corporate Edition 10.2 MR1 and
earlier
Symantec Client Security 2.0 MR6 and earlier
Symantec Client Security 3.0 all versions
Symantec Client Security 3.1 MR7 and earlier
Symantec Endpoint Protection 11.0 MR2 and earlier
Publisher: Symantec
Operating System: Windows
Netware
Linux variants
Impact: Administrator Compromise
CVE Names: CVE-2009-1429 CVE-2009-1430 CVE-2009-1431
Member content until: Wednesday, May 27 2009
Original Bulletin:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02
- --------------------------BEGIN INCLUDED TEXT--------------------
Symantec Alert Management System 2 multiple vulnerabilities
SYM09-007
April 28, 2009
Description
Revision History
None
Risk Impact
High
Remote Access Yes
Local Access Yes
Authentication Required No
Exploit available No
Overview
The version of Alert Management System 2 (AMS2) used by some versions of
Symantec System Center, Symantec Antivirus Server, and Symantec AntiVirus
Central Quarantine Server contains four vulnerabilities.
Affected Products
Product Version Solution
Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier Update to SAV
9.0 MR7
10.0 all versions Update to SAV
10.1 MR8
10.1 MR7 and earlier Update to SAV
10.1 MR8
10.2 MR1 and earlier Update to SAV
10.2 MR2
Symantec Client Security 2.0 MR6 and earlier Update to SCS
2.0 MR7
3.0 all versions Update to SCS
3.1 MR8
3.1 MR7 and earlier Update to SCS
3.1 MR8
Symantec Endpoint Protection 11.0 MR2 and earlier Update to SEP
11.0 MR3
Note: These vulnerabilities only impact the products indicated if the AMS2
component is installed. See the Symantec Response section for additional
information.
Unaffected Products
Product Version
Norton product lines All
Altiris Management Service All
Details
Alert Management System 2 (AMS2) is a component of the Symantec System Center
console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central
Quarantine Server.
AMS2 listens for specific security related events on a computer network, and
sends notifications as specified by the administrator.
Four vulnerabilities in AMS2 components have been reported to Symantec.
1) Intel Common Base Agent Remote Command Execution Vulnerability
The Intel LANDesk Common Base Agent (CBA) could allow a specially crafted
packet sent to TCP Port 12174 to pass the packet contents as an argument to
CreateProcessA(). The resulting command will be executed with SYSTEM
privileges.
This vulnerability was discovered by Tenable Network Security, working
through the Zero Day Initiative (ZDI).
2) Intel Alert Originator Service Stack Overflow Vulnerability
The Intel Alert Originator Service (IAO.EXE) does not properly validate data
sent to a stack buffer through a call to memcpy(). An attacker could use a
specially crafted packet to overflow the stack, and execute code of their
choice with SYSTEM rights.
This vulnerability was discovered by: Sebastian Apelt, working through the
Zero Day Initiative (ZDI).
3) Intel Alert Originator Service Buffer Overflow Vulnerabilities
Intel Alert Originator Service (IAO.EXE) does not properly validate data sent
to it by the MsgSys.exe process. This could potentially lead to stack based
buffer overflows during calls to strcpy() and memcpy(). An attacker could
potentially leverage this to execute code of their choice with SYSTEM rights.
This vulnerability was discovered by Sebastian Apelt, working through the
Zero Day Initiative (ZDI).
4) Alert Management System Console Arbitrary Program Execution Design Error
Vulnerability
The Intel File Transfer service (XFR.EXE) provides file transfer capabilities
to AMS2. A design error in XFR.EXE could allow an attacker to execute code of
their choice with SYSTEM privileges on a vulnerable system. If an attacker is
able to establish a TCP session with a vulnerable host, the issue could be
exploited by placing arbitrary code on a fileshare or WebDav server, and then
sending the UNC path to XFR.EXE. The code would then be executed on the
vulnerable system.
This issue was reported by an anonymous finder, working through IDefense
Symantec Response
Symantec engineers verified that these vulnerabilities affect the products
listed in the Affected Products table, above. Updates have been released to
address these issues.
Symantec System Center Impact
Symantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in
which allows an administrator to manage all Symantec AntiVirus platforms from
a single, centralized location. Alert Management System 2 (AMS2) is an
alerting feature of System Center that listens for specific events and sends
notifications as specified by the administrator.
AMS2 is installed by default with Symantec System Center 9.0. AMS2 is an
optional component in Symantec System Center 10.0 or 10.1. These
vulnerabilities will only impact systems if AMS has been installed.
Symantec AntiVirus Server Impact
AMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an
optional component in Symantec AntiVirus Server 10.0 or 10.1. These
vulnerabilities will only impact systems if AMS has been installed.
Symantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server
Impact
AMS2 is installed by default by Central Quarantine Server. These
vulnerabilities will only impact systems if Quarantine Server has been
installed.
Symantec is not aware of any customers impacted by these issues, or of any
attempts to exploit them. However, we recommend that any affected customers
update their product immediately to protect against potential attempts to
exploit these issues.
Certain localized language versions of SCS 2.0/SAV 9.x were not patched due
to compatibility issues on the localized platforms. As a result, customers
who are running the following versions are strongly recommended to update to
a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a
non-vulnerable version of SEP 11.x:
Symantec Client Security 2.0/Symantec AntiVirus Corporate Edition 9.x (Chinese
Simplified and Chinese Traditional)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Chinese
Simplified and Chinese Traditional)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese
licensed)
Mitigation
Reporting has replaced AMS2 as the recommended method of alerting. Symantec
Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer
include AMS2. Symantec recommends that customers who are still using AMS2
switch to Reporting to manage alerts in their environments. If the customer
is unable to switch to Reporting immediately then Symantec recommends that
the customer either disables AMS2 as a temporary mitigation or completely
uninstall AMS2.
Best Practices
As a part of normal best practices, users should:
* Restrict access to computer systems to trusted users only.
* Keep all operating systems and applications updated with the latest
vendor patches.
* Follow a multi-layered approach to security. Run both firewall and
antivirus software to provide multiple points of protection from
inbound and outbound threats.
* Run under the principle of least privilege.
Credit
Symantec thanks the following people and organizations for reporting these
issues, and coordinating with us on the resolution:
Zero Day Initiative (www.zerodayinitiative.com); Tenable Network Security
(www.tenablesecurity.com/); Sebastian Apelt (webmaster@buzzworld.org);
iDefense (http://labs.idefense.com/), and an anonymous finder.
References
These issues are candidates for inclusion in the Common Vulnerabilities and
Exposures (CVE) list (http://cve.mitre.org), which standardizes names for
security problems. CVE has assigned CVE identifiers to these issues. These
issues are also included in the SecurityFocus (http://www.securityfocus.com)
BID database.
The following CVE and BID identifiers have been assigned to these issues:
Intel Common Base Agent Remote Command Execution Vulnerability
CVE CVE-2009-1429
BID 34671
Intel Alert Originator Service Stack Overflow Vulnerability
CVE CVE-2009-1430
BID 34672
Intel Alert Originator Service Buffer Overflow Vulnerabilities
CVE CVE-2009-1430
BID 34674
Alert Management System Console Arbitrary Program Execution Design Error
Vulnerability
CVE CVE-2009-1431
BID 34675
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability disclosure
guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a security
issue in a Symantec product. A Symantec Product Security team member will
contact you regarding your submission. Symantec strongly recommends using
encrypted email for reporting vulnerability information to
secure@symantec.com. The Symantec Product Security PGP key can be found at
the end of this message.
Symantec has developed a Product Vulnerability Response document outlining
the process we follow in addressing suspected vulnerabilities in our products.
This document is available below.
Symantec Vulnerability Response Policy:
http://www.symantec.com/security/Symantec-Product-Vulnerability-Response.pdf
Symantec Product Vulnerability Management PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Security Response.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.
Last modified on: April 28, 2009
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ97HGNVH5XJJInbgRAlldAJ9xW1FeHWofz6mqn9JFlioqTJdqGQCePQGT
/DaPbst6HhtpaQzalwGRa4I=
=biV+
-----END PGP SIGNATURE-----
|