Date: 29 May 2006
References: AA-2006.0095 AL-2006.0126
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0042 -- AUSCERT ALERT
[Win]
Symantec AntiVirus and Client Security vulnerable to remote code execution
15 June 2006
===========================================================================
AusCERT Alert Summary
---------------------
Product: Symantec AntiVirus 10.1.0.400 and prior
Symantec Client Security 3.1.0.400 and prior
Publisher: Symantec
Operating System: Windows
Impact: Administrator Compromise
Access: Remote/Unauthenticated
CVE Names: CVE-2006-2630
Original Bulletin:
http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html
Comment: The reporters of this vulnerability (eEye) state that it can be
exploited without any end user interaction:
http://www.eeye.com/html/research/upcoming/20060524.html
http://www.eeye.com/html/research/advisories/AD20060612.html
Revision History:
June 15 2006: Symantec adds updates for further affected versions
May 29 2006: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
SYM06-010
May 25, 2006
Symantec Client Security and Symantec AntiVirus Elevation of Privilege
Revision History
May 26, 2006 - Updated Products Affected section and other details
May 27, 2006 - Updated Products Affected section with update info
- Updated Unaffected Products section
May 30, 2006 - Added CVE identifier
- Updated Products Affected section with update information
June 1, 2006 - Updated Products Affected section
June 6, 2006 - Updated Products Affected section
June 6, 2006 - Updated information on localized product builds
Impact
High
Remote Yes
Local Yes
Authentication Required No
Exploit publicly available No
Overview
A stack overflow in Symantec Client Security and Symantec AntiVirus Corporate
Edition could potentially allow a remote or local attacker to execute code
on the affected machine.
Products Affected
Product Version Build Solution
Symantec Client Security 3.1 3.1.0.394 3.1.0.396
3.1 3.1.0.400 3.1.0.401
3.0 3.0.2.2000 3.0.2.2002
3.0 3.0.2.2001 3.0.2.2002
3.0 3.0.2.2010 3.0.2.2011
3.0 3.0.2.2020 3.0.2.2021
3.0 3.0.1.1007 3.0.1.1009
3.0 3.0.1.1000 3.0.1.1001
Symantec Antivirus Corporate Edition 10.1 10.1.0.394 10.1.0.396
10.1 10.1.0.400 10.1.0.401
10.1 10.1.0.394 64 bit 10.1.0.396
10.0 10.0.2.2000 10.0.2.2002
10.0 10.0.2.2001 10.0.2.2002
10.0 10.0.2.2010 10.0.2.2011
10.0 10.0.2.2020 10.0.2.2021
10.0 10.0.1.1007 10.0.1.1009
10.0 10.0.1.1000 10.0.1.1001
http://www.symantec.com/techsupp/enterprise/select_product_updates.html
Note: All builds listed above are English versions only. Information on
localized product builds can be found in the Upgrade Information section below.
Unaffected Products
Product Version
Norton Product line No products in the Norton product line are affected
Symantec AntiVirus Corporate Edition 8.0, 8.1, 9.0 all builds
Symantec Client Security 1.0, 1.1, 2.0, all builds
Details
Symantec was notified that Symantec Client Security and Symantec AntiVirus
Corporate Edition are susceptible to a potential stack overflow. Exploiting
this overflow successfully could potentially cause a system crash, or allow
a remote or local attacker to execute arbitrary code with System level rights
on the affected system.
Symantec Response
Symantec engineers have verified that this vulnerability exists in the product
versions listed above, and have provided updates for those products.
Upgrade Information
Available updates for English language versions are listed in the table above.
Information on localized builds for other language versions, and information
on upgrading, can be found in this KB Document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248
Mitigation
Symantec Security Response has released IPS signatures to detect attempts to
exploit this issue.
Symantec Network Security Appliance 7100 signatures, SU 46, are available via
LiveUpdate.
Symantec Gateway Security 3.0 signatures, SU 19, are available via LiveUpdate.
Symantec Client Security 2.0 and 3.0 signatures, SU 22, are available for
update via LiveUpdate.
Symantec recommends customers immediately apply the latest Security Update
to protect against potential related attacks.
To help reduce the risks associated with this vulnerability Symantec recommends
the following best practices:
* Restrict access to administration or management systems to privileged
users only, with additional restricted access to the physical host
system(s) if possible.
* Keep all operating systems and applications updated with the latest
vendor patches.
* Follow a multi-layered approach to security. Run both firewall and
antivirus applications, at a minimum to provide multiple points of
detection and protection to both inbound and outbound threats.
* Be cautious visiting unknown or untrusted websites or following
unknown URL links.
* Do not open attachments or executables from unknown sources or
that you didn't request or were unaware of. Always err on the side
of caution. Even if the sender is known, the source address may be spoofed.
Note
Symantec is not aware of any customers impacted by this vulnerability, or of
any exploits of this vulnerability.
CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and
Exposures (CVE) list (http://cve.mitre.org), which standardizes names for
security problems. CVE has assigned the following identifier to this issue:
CVE-2006-2630.
Credit
Symantec would like to thank eEye Digital Security (http://www.eeye.com) for
reporting this issue, and working with us on the resolution.
Symantec takes the security and proper functionality of its products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec follows the principles of responsible disclosure. Symantec
also subscribes to the vulnerability guidelines outlined by the National
Infrastructure Advisory Council (NIAC). Please contact secure@symantec.com
if you feel you have discovered a potential or actual security issue with a
Symantec product. A Symantec Product Security team member will contact you
regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document
outlining the process we follow in addressing suspected vulnerabilities in
our products. We support responsible disclosure of all vulnerability information
in a timely manner to protect Symantec customers and the security of the
Internet as a result of vulnerability. This document is available from the
location provided below.
Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can
be obtained from the location provided below.
Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Security Response.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are
registered trademarks of Symantec Corp. and/or affiliated companies in the
United States and other countries. All other registered and unregistered
trademarks represented in this document are the sole property of their
respective companies/owners.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRJEHUyh9+71yA2DNAQLQaAP/eVCKScvXqHYrG3MiwGkfeY4aNZPbXyNn
j/wN4bf050f3yG7gNO+1kBtGOe/iEEhDR16DZHWVVo+wZzSYzMZAHx+pEbx6pT42
DvyH0D2y/+VqSl2L++9KLffl+W/xcXPU/6Vq5RQXP2EJuZ7RjoM8DqFBqBNlX6G2
dbvGsHkofdc=
=8/tX
-----END PGP SIGNATURE-----
|