Date: 28 January 2011
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0098
Security Advisories Relating to Symantec Products - Symantec Intel Alert
Management System Multiple Code Execution Issues
28 January 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec AntiVirus Corporate Edition Server 10.x
Symantec System Center 10.x
Symantec Quarantine Server 3.5 and 3.6
Publisher: Symantec
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-0110
Original Bulletin:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisories Relating to Symantec Products - Symantec Intel Alert
Management System Multiple Code Execution Issues
SYM11- 002
January 26, 2011
Revision History
None
Severity
High
CVSS2 Base Score: 7.9
Impact 10.0 Exploitability 5.5
CVSS 2 Base Vector: AV:A/AC:M/Au:N/C:C/I:C/A:C
Exploit Publicly Available: proof of concept
Overview
Symantec was notified of multiple instances of failure to properly handle user
input in the Third Party Intel Alert Management System(AMS2) which could result
in arbitrary code execution.
Affected Product(s)
Product Version Solution
Symantec AntiVirus Corporate Edition Server 10.x Upgrade to
SAVCE 10.1 MR10
Symantec System Center 10.x Upgrade to SSC
from SAVCE 10.1
MR10
Symantec Quarantine Server 3.6 Upgrade to
Quarantine Server
from SEP 11.0
MR3 or later
Symantec Quarantine Server 3.5 Upgrade to
Quarantine Server
from SAVCE 10.1
MR10
Details
The Intel Alert Management System (AMS2) is used in Symantec AntiVirus
Corporate Edition Server (SAVCE), Symantec System Center (SSC), and Symantec
Quarantine Server. AMS2 listens on TCP Port 38292 and allows SAVCE
Administrators to send messages(i.e. email) if a user-specified event occurs.
Symantec was notified of multiple vulnerabilities in AMS2. It is possible to
send specially-crafted packets to the targeted server, causing a buffer
overflow or allowing arbitrary commands to run, potentially executing
arbitrary code. The successful exploitation of these vulnerabilities could
result in a possible compromise of the affected products.
AMS2 has not been included in a default install of SAVCE Server or SSC since
version 10.0. AMS2 was included in the default install of Quarantine Server
prior to SEP 11.0 MR3.
Symantec Response
Symantec engineers verified these issues and released an update to address
them. Symantec customers should update to the latest maintenance release
available through normal update procedures.
Symantec knows of no exploitation of or adverse customer impact from this
issue.
Mitigations
Symantec recommends upgrading any vulnerable versions of SAVCE Server or
Symantec System Center to SAVCE 10.1 MR10. Vulnerable versions of Quarantine
Server 3.5 should be upgraded to SAVCE 10.1 MR10. Vulnerable versions of
Quarantine Server 3.6 should be upgraded to SEP 11.0 MR3 or later. SEP users
running a version of Quarantine Server from SEP 11.x later than MR2 are not
vulnerable. Reporting has replaced AMS2 as the recommended method of alerting.
Symantec recommends that customers who are still using AMS2 switch to
Reporting to manage alerts in their environments.
If the customer is unable to switch to Reporting immediately or upgrade to a
non-vulnerable version then Symantec recommends that the customer either
disable AMS2 as a temporary mitigation or completely uninstall AMS2.
As an additional mitigation, Symantec recommends blocking port 38292 in the
corporate environment. This will effectively disable the alert service from
sending or receiving messages.
Best Practices
As part of normal best practices, Symantec strongly recommends:
* Restrict access to administration or management systems to privileged
users.
* Restrict remote access, if required, to trusted/authorized systems
only.
* Run under the principle of least privilege where possible to limit the
impact of exploit by threats.
* Keep all operating systems and applications updated with the latest
vendor patches.
* Follow a multi-layered approach to security. Run both firewall and
anti-malware applications, at a minimum, to provide multiple points of
detection and protection to both inbound and outbound threats.
* Deploy network and host-based intrusion detection systems to monitor
network traffic for signs of anomalous or suspicious activity. This may
aid in detection of attacks or malicious activity related to exploitation
of latent vulnerabilities.
Credit
Symantec would like to thank the finders of these issues:
Junaid Bohio of Vulnerability Research Team, Telus Security Labs
An anonymous finder through Tippingpoints Zero Day Initiative(ZDI)
Nahuel Riva of Core Security Technologies
BID: SecurityFocus (http://www.securityfocus.com) has assigned Bugtraq ID(BID)
45936 to these vulnerabilities.
CVE: These issues are candidates for the Common Vulnerabilities and Exposures
(CVE) list (http://cve.mitre.org), which standardizes names for security
problems. CVE-2010-0110 has been assigned to these vulnerabilities
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security
issue in a Symantec product. A member of the Symantec Product Security team
will contact you regarding your submission to coordinate any required response.
Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can
be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining
the process we follow in addressing suspected vulnerabilities in our products.
This document is available below.
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Product Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.
Last modified on: January 26, 2011
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNQjJt/iFOrG6YcBERAkwpAJ0cHq/pKiVpz831xTuyja8K0Kk3ZACfUUCL
Od7A/XKNuEj92qKdW5Me43Y=
=9BDk
-----END PGP SIGNATURE-----
|