Date: 29 July 2010
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0658
Security Advisories Relating to Symantec Products - Multi-Vendor Autonomy
KeyView Filter Multiple Security Issues
29 July 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Mail Security for Domino 7.5.x and 8.0.x
Symantec Mail Security for Microsoft Exchange 6.0.5 and
later
Symantec Mail Security for Microsoft Exchange 6.5.0
Symantec Brightmail Gateway 9.0 and earlier
Symantec Data Loss Prevention Enforce/Detection Servers for
Windows 8.1.1, 9.x, 10.0 and 10.5
Symantec Data Loss Prevention Enforce/Detection Servers for
Linux 8.1.1, 9.x, 10.0 and 10.5
Symantec Data Loss Prevention Endpoint Agents 8.1.1, 9.x,
10.0 and 10.5
Symantec IM Manager 2007 8.4.x
Operating System: Windows
Linux variants
AIX
Solaris
VMWare ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-1525 CVE-2010-1524 CVE-2010-0135
CVE-2010-0134 CVE-2010-0133 CVE-2010-0131
CVE-2010-0126
Original Bulletin:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisories Relating to Symantec Products - Multi-Vendor Autonomy
KeyView Filter Multiple Security Issues
SYM10-009
July 27, 2010
Description
Revision History
None
Severity
Low to High (dependent on how specific products utilize the KeyView Filter)
NOTE: Many affected Symantec products currently run Autonomys Verity KeyView
Filter out-of-process with limited privileges further reducing the impact of
this issue.
Remote Access Yes
Local Access No
Authentication Required No
Exploit publicly available No
Overview
Symantec products that ship with the Verity KeyView Filter have updated the
module to address multiple security issues being reported in the content
filter processing of specifically crafted document formats.
Affected Products
Product Symantec Mail Security for Domino
Version 8.0.x
Build All
Solution(s) SMSDOM 8.0.6
Product Symantec Mail Security for Domino
Version 7.5.x
Build All
Solution(s) SMSDOM 7.5.10
Product Symantec Mail Security for Microsoft Exchange
Version 6.0.5 and later
Build All
Solution(s) SMSMSE 6.0.11
Product Symantec Mail Security for Microsoft Exchange
Version 6.5.0
Build All
Solution(s) SMSMSE 6.5.1
Product Symantec Brightmail Gateway
Version 9.0 and earlier
Build All
Solution(s) Brightmail Gateway 9.0.2
Product Symantec Mail Security for SMTP (End of Life)
Version 5.0.x
Build All
Solution(s)
Product Symantec Data Loss Prevention Enforce/Detection Servers for
Windows
Version 8.1.1 9.x 10.0 10.5
Build All
Solution(s) Update to DLP 10.5 and apply
Symantec_DLP_10.5.1_ReleaseUpdate_Win-IN.zip
Product Symantec Data Loss Prevention Enforce/Detection Servers for
Linux
Version 8.1.1 9.x 10.0 10.5
Build All
Solution(s) Update to DLP 10.5 and apply
Symantec_DLP_10.5.1_ReleaseUpdate_Lin-IN.zip
Product Symantec Data Loss Prevention Endpoint Agents
Version 8.1.1 9.x 10.0 10.5
Build All
Solution(s) Update to DLP 10.5 Agent and apply
Symantec_DLP_10.5.1_Agent_Win-IN.zip
Product Symantec IM Manager 2007
Version 8.4.x
Build All
Solution(s) IMM 8.4.15
NOTE: Symantec Mail Security for SMTP 5.x has reached End-of-Life (EOL) and
will no longer be updated. Customers still running SMS for SMTP 5.x are urged
to transition to the Symantec Brightmail Gateway Appliance and apply all
available updates.
Products Not Affected
Product Version
Symantec Mail Security for Domino SMSDOM MPE 3.2 SMSDOM 5.1
Symantec Mail Security for Microsoft Exchange All 6.0.x versions prior to 6.0.5
Details
Secunia Research notified Symantec of multiple vulnerabilities identified in
DLLs contained in Autonomys Verity KeyView Filter shipped and installed with
the identified Symantec products. These vulnerabilities can potentially be
targeted during the content filtering process run against incoming specifically
formatted files. Attempted exploitation results, depending on the product
involved in the processing, range from no impact to a crash of the child
process with negligible impact, an application crash or, an attack could
potentially result in a compromise of the system.
Symantec Response
Symantec product engineers verified the reported issues. Symantec engineers
worked closely with Autonomy to identify any additional areas that could
present possible security concerns and obtain updates for all the identified
issues.
In the Symantec Brightmail Gateway, Symantec Mail Security for SMTP and
Symantec Data Loss Prevention products the Verity KeyView Filter processes have
been separated from the Symantec application processes (out-of-process) and run
with limited privileges. This out-of-process method specifically addresses
these types of security concerns. Any attempt to exploit the Verity KeyView
Filter results in process termination of the offending thread and an error
message generated to and handled by the specific application(s). However,
non-vulnerable versions of the Verity Filter are being made available to
customers as indicated above.
Symantec IM Manager does NOT use the vulnerable content filtering process of
the Verity Filter and is not vulnerable to these identified issues. However,
Symantec IM Manager currently ships with a vulnerable version of the Verity
Filter. An update to the Verity Filter is available to IM Manager customers.
Symantec Mail Security for Domino runs the Verity Filter out-of-process by
default preventing attack attempts from crashing the application. However, the
process runs at the same privilege as the application which could potentially
allow a privileged compromise in a successful exploit attempt. Symantec Mail
Security for Microsoft Exchange runs the Verity Filter as part of the
application process which could potentially result in a denial of service
crashing the application or possibly a privileged compromise in the event of a
successful exploit. Customers running SMSDom or SMSME should update to the non-
vulnerable versions identified above or implement the workarounds described
below until updates can be deployed.
Symantec knows of no exploitation of or adverse customer impact from these
issues.
Update Information
Updates will be available from your normal support/download locations.
SMS for Domino and Microsoft Exchange updates are available through the
Platinum Support Web Site for Platinum customers or through the FileConnect -
Electronic Software Distribution web site.
Symantec DLP updates are available for download through secure file exchange.
Symantec IM Manager updates are available through the FileConnect -Electronic
Software Distribution web site.
Workaround
Temporary Workaround for Symantec Mail Security for Domino
Installations of SMS for Domino that do not utilize the Content Filtering
capabilities of the product are not susceptible to this issue. SMS for Domino
would be susceptible only if the attachment content scanning option is enabled.
As an interim workaround, administrators unable to upgrade to the recommended
solution may disable content filtering rules that contain parameters that
specify scanning of attachment content. The rules do not need to be deleted,
only disabled until the updated release is installed.
To disable the content filtering rules for Symantec Mail Security for Domino
* Select the "Content Filtering" tab to display the list of current enabled
rules
* Click on the checkmark to the left of any rules that utilize attachment
content filtering, changing it to a red "X", and disabling the rule
Temporary Workaround for Symantec Mail Security for Microsoft Exchange
Installations of SMS for Microsoft Exchange that do not utilize the Content
Filtering capabilities of the product are not susceptible. SMS for Microsoft
Exchange is susceptible only if the attachment content scanning option is
enabled.
As an interim workaround, administrators unable to upgrade to the recommended
solution may disable content filtering rules that contain parameters that
specify scanning of attachment content. The rules do not need to be deleted,
only disabled until the updated release is installed.
* To disable the content filtering rules for SMS for Microsoft Exchange:
* Select the "Policies" tab and then choose "Content Filtering" to display
the list of currently enabled rules
* Ensure that all rules using attachment content are "disabled"
Temporary Workaround for Symantec Mail Security and Symantec Brightmail Gateway
Risk from this vulnerability is limited on installations of SMS for SMTP and
SMS Gateway in which the attachment content scanning option is enabled.
However, installations that do not utilize the Content Filtering capabilities
of the product are not susceptible to this issue.
As an interim workaround, administrators unable to upgrade to the recommended
solution may disable content filtering rules that contain parameters that
specify scanning of attachment content. The rules do not need to be deleted,
only disabled until the updated release is installed.
To disable the content filtering rules for SMS for SMTP (End of Life) until
customers can update to Symantec Brightmail Gateway:
* Log into the management console and navigate to:
* Settings >> Email Scanning >> Scanning
* Disable the item "Enable searching of non-plain text attachments for
words in dictionaries", by deselecting the checkbox, and saving
* Disable any Compliance policies with a condition "If the Attachment
content . . ."
To disable the content filtering rules for Symantec Brightmail Gateway:
* Log into the management console and navigate to the SMTP Scanning
Settings screen
* Disable the item "Enable searching of non-plain text attachments for
words in dictionaries", by deselecting the checkbox, and saving
* Disable any Compliance policies with a condition:
o "If any part of the message matches" (or "does not match") a
regular expression, pattern or Record Resource.
o "If text in Attachment content part of the message . . . "
Best Practices
As part of normal best practices, Symantec strongly recommends:
* Restrict access to administration or management systems to privileged
users.
* Restrict remote access, if required, to trusted/authorized systems only.
* Run under the principle of least privilege where possible to limit the
impact of exploit by threats.
* Keep all operating systems and applications updated with the latest
vendor patches.
* Follow a multi-layered approach to security. Run both firewall and anti-
malware applications, at a minimum, to provide multiple points of
detection and protection to both inbound and outbound threats.
* Deploy network and host-based intrusion detection systems to monitor
network traffic for signs of anomalous or suspicious activity. This may
aid in detection of attacks or malicious activity related to
exploitation of latent vulnerabilities
Credit
Symantec credits and thanks Carsten Eiram and Dyon Balding, Secunia Research,
for identifying these issues to Symantec and working with us as they were
resolved.
Reference
Security Focus, http://www.securityfocus.com, has assigned Bugtraq ID (BID)
41928 to indentify these issues for inclusion in the Security Focus
vulnerability database.
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows the OISafety responsible disclosure
guidelines. Symantec also subscribes to the vulnerability disclosure
guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a security
issue in a Symantec product. A Symantec Product Security team member will
contact you regarding your submission. Symantec strongly recommends using
encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the
process we follow in addressing suspected vulnerabilities in our products. This
document is available below.
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Security Response.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the
United States and other countries. All other registered and unregistered
trademarks represented in this document are the sole property of their
respective companies/owners.
Last modified on: July 27, 2010
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMUPtf/iFOrG6YcBERAtCjAKC6pku+/xgdaDDOBvgd9CCLGqZj8gCglzWS
LMnI5IzZPNrH+Gh8aQcmi3k=
=jTMc
-----END PGP SIGNATURE-----
|