AusCERT - AL-2009.0036 -- [Win][Netware][Linux] -- Symantec Alert Management System 2: Administrator Compromise

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2009.0036 -- [Win][Netware][Linux] -- Symantec Alert Management System 2: Administrator Compromise
Date: 29 April 2009

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2009.0036 -- AUSCERT ALERT
                           [Win][Netware][Linux]
       Symantec Alert Management System 2: Administrator Compromise
                               29 April 2009

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Symantec AntiVirus Corporate Edition 9.0 MR6 and 
                        earlier
                      Symantec AntiVirus Corporate Edition 10.0 all versions 
                      Symantec AntiVirus Corporate Edition 10.1 MR7 and 
                        earlier
                      Symantec AntiVirus Corporate Edition 10.2 MR1 and 
                        earlier
                      Symantec Client Security 2.0 MR6 and earlier
                      Symantec Client Security 3.0 all versions
                      Symantec Client Security 3.1 MR7 and earlier
                      Symantec Endpoint Protection 11.0 MR2 and earlier
Publisher:            Symantec
Operating System:     Windows
                      Netware
                      Linux variants
Impact:               Administrator Compromise
CVE Names:            CVE-2009-1429 CVE-2009-1430 CVE-2009-1431
Member content until: Wednesday, May 27 2009

Original Bulletin:    
  http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02

- --------------------------BEGIN INCLUDED TEXT--------------------

Symantec Alert Management System 2 multiple vulnerabilities

SYM09-007

April 28, 2009

Description

Revision History
None

Risk Impact
High

Remote Access           Yes
Local Access            Yes
Authentication Required No
Exploit available       No


Overview
The version of Alert Management System 2 (AMS2) used by some versions of 
Symantec System Center, Symantec Antivirus Server, and Symantec AntiVirus 
Central Quarantine Server contains four vulnerabilities.

Affected Products
Product                                 Version                 Solution
Symantec AntiVirus Corporate Edition    9.0 MR6 and earlier     Update to SAV 
                                                                9.0 MR7
                                        10.0 all versions       Update to SAV 
                                                                10.1 MR8
                                        10.1 MR7 and earlier    Update to SAV 
                                                                10.1 MR8
                                        10.2 MR1 and earlier    Update to SAV 
                                                                10.2 MR2

Symantec Client Security                2.0 MR6 and earlier     Update to SCS 
                                                                2.0 MR7
                                        3.0 all versions        Update to SCS 
                                                                3.1 MR8
                                        3.1 MR7 and earlier     Update to SCS 
                                                                3.1 MR8
Symantec Endpoint Protection            11.0 MR2 and earlier    Update to SEP 
                                                                11.0 MR3

Note: These vulnerabilities only impact the products indicated if the AMS2 
component is installed. See the Symantec Response section for additional 
information.

Unaffected Products
Product                         Version
Norton product lines            All
Altiris Management Service      All

Details
Alert Management System 2 (AMS2) is a component of the Symantec System Center 
console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central 
Quarantine Server.
AMS2 listens for specific security related events on a computer network, and 
sends notifications as specified by the administrator.

Four vulnerabilities in AMS2 components have been reported to Symantec.

1) Intel Common Base Agent Remote Command Execution Vulnerability
The Intel LANDesk Common Base Agent (CBA) could allow a specially crafted 
packet sent to TCP Port 12174 to pass the packet contents as an argument to 
CreateProcessA(). The resulting command will be executed with SYSTEM 
privileges.

This vulnerability was discovered by Tenable Network Security, working 
through the Zero Day Initiative (ZDI). 

2) Intel Alert Originator Service Stack Overflow Vulnerability
The Intel Alert Originator Service (IAO.EXE) does not properly validate data 
sent to a stack buffer through a call to memcpy(). An attacker could use a 
specially crafted packet to overflow the stack, and execute code of their 
choice with SYSTEM rights.

This vulnerability was discovered by: Sebastian Apelt, working through the 
Zero Day Initiative (ZDI).

3) Intel Alert Originator Service Buffer Overflow Vulnerabilities
Intel Alert Originator Service (IAO.EXE) does not properly validate data sent 
to it by the MsgSys.exe process. This could potentially lead to stack based 
buffer overflows during calls to strcpy() and memcpy(). An attacker could 
potentially leverage this to execute code of their choice with SYSTEM rights.

This vulnerability was discovered by Sebastian Apelt, working through the 
Zero Day Initiative (ZDI).

4) Alert Management System Console Arbitrary Program Execution Design Error 
Vulnerability

The Intel File Transfer service (XFR.EXE) provides file transfer capabilities 
to AMS2. A design error in XFR.EXE could allow an attacker to execute code of 
their choice with SYSTEM privileges on a vulnerable system. If an attacker is 
able to establish a TCP session with a vulnerable host, the issue could be 
exploited by placing arbitrary code on a fileshare or WebDav server, and then 
sending the UNC path to XFR.EXE. The code would then be executed on the 
vulnerable system.

This issue was reported by an anonymous finder, working through IDefense

Symantec Response
Symantec engineers verified that these vulnerabilities affect the products 
listed in the Affected Products table, above. Updates have been released to 
address these issues.

Symantec System Center Impact

Symantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in 
which allows an administrator to manage all Symantec AntiVirus platforms from 
a single, centralized location. Alert Management System 2 (AMS2) is an 
alerting feature of System Center that listens for specific events and sends
 notifications as specified by the administrator.

AMS2 is installed by default with Symantec System Center 9.0. AMS2 is an 
optional component in Symantec System Center 10.0 or 10.1. These 
vulnerabilities will only impact systems if AMS has been installed.

Symantec AntiVirus Server Impact 

AMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an 
optional component in Symantec AntiVirus Server 10.0 or 10.1. These 
vulnerabilities will only impact systems if AMS has been installed.

Symantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server 
Impact

AMS2 is installed by default by Central Quarantine Server. These 
vulnerabilities will only impact systems if Quarantine Server has been 
installed.

Symantec is not aware of any customers impacted by these issues, or of any
attempts to exploit them. However, we recommend that any affected customers 
update their product immediately to protect against potential attempts to 
exploit these issues. 

Certain localized language versions of SCS 2.0/SAV 9.x were not patched due 
to compatibility issues on the localized platforms. As a result, customers 
who are running the following versions are strongly recommended to update to 
a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a 
non-vulnerable version of SEP 11.x:

Symantec Client Security 2.0/Symantec AntiVirus Corporate Edition 9.x (Chinese 
Simplified and Chinese Traditional)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Chinese 
Simplified and Chinese Traditional)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese 
licensed)

Mitigation
Reporting has replaced AMS2 as the recommended method of alerting. Symantec 
Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer 
include AMS2. Symantec recommends that customers who are still using AMS2 
switch to Reporting to manage alerts in their environments. If the customer 
is unable to switch to Reporting immediately then Symantec recommends that 
the customer either disables AMS2 as a temporary mitigation or completely 
uninstall AMS2.

Best Practices
As a part of normal best practices, users should:

    * Restrict access to computer systems to trusted users only.
    * Keep all operating systems and applications updated with the latest 
      vendor patches.
    * Follow a multi-layered approach to security. Run both firewall and 
      antivirus software to provide multiple points of protection from 
      inbound and outbound threats.
    * Run under the principle of least privilege. 

Credit
Symantec thanks the following people and organizations for reporting these 
issues, and coordinating with us on the resolution:

Zero Day Initiative (www.zerodayinitiative.com); Tenable Network Security 
(www.tenablesecurity.com/); Sebastian Apelt (webmaster@buzzworld.org); 
iDefense (http://labs.idefense.com/), and an anonymous finder.
References
These issues are candidates for inclusion in the Common Vulnerabilities and 
Exposures (CVE) list (http://cve.mitre.org), which standardizes names for 
security problems. CVE has assigned CVE identifiers to these issues. These 
issues are also included in the SecurityFocus (http://www.securityfocus.com) 
BID database.

The following CVE and BID identifiers have been assigned to these issues:

Intel Common Base Agent Remote Command Execution Vulnerability
CVE CVE-2009-1429
BID 34671

Intel Alert Originator Service Stack Overflow Vulnerability
CVE CVE-2009-1430
BID 34672


Intel Alert Originator Service Buffer Overflow Vulnerabilities
CVE CVE-2009-1430
BID 34674


Alert Management System Console Arbitrary Program Execution Design Error 
Vulnerability
CVE CVE-2009-1431
BID 34675

Symantec takes the security and proper functionality of our products very 
seriously. As founding members of the Organization for Internet Safety 
(OISafety), Symantec supports and follows the principles of responsible 
disclosure. Symantec also subscribes to the vulnerability disclosure 
guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a security 
issue in a Symantec product. A Symantec Product Security team member will 
contact you regarding your submission. Symantec strongly recommends using 
encrypted email for reporting vulnerability information to 
secure@symantec.com. The Symantec Product Security PGP key can be found at 
the end of this message.
Symantec has developed a Product Vulnerability Response document outlining 
the process we follow in addressing suspected vulnerabilities in our products. 
This document is available below.

Symantec Vulnerability Response Policy:
http://www.symantec.com/security/Symantec-Product-Vulnerability-Response.pdf

Symantec Product Vulnerability Management PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

Copyright (c)  by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it 
is not edited in any way unless authorized by Symantec Security Response. 
Reprinting the whole or part of this alert in any medium other than 
electronically requires permission from secure@symantec.com

Disclaimer
The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties 
with regard to this information. Neither the author nor the publisher accepts 
any liability for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and 
secure@symantec.com are registered trademarks of Symantec Corp. and/or 
affiliated companies in the United States and other countries. All other 
registered and unregistered trademarks represented in this document are the 
sole property of their respective companies/owners.

Last modified on: April 28, 2009

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJ97HGNVH5XJJInbgRAlldAJ9xW1FeHWofz6mqn9JFlioqTJdqGQCePQGT
/DaPbst6HhtpaQzalwGRa4I=
=biV+
-----END PGP SIGNATURE-----