22 November 2012
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1104 Security Advisories Relating to Symantec Products - Symantec Updates HP Autonomy Keyview Filter Issues Affecting Multiple Vendors 22 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Mail Security for Microsoft Exchange Symantec Mail Security for Domino Symantec Messaging Gateway Symantec Data Loss Prevention Enforce/Detection Servers Symantec Data Loss Prevention Endpoint Agents Publisher: Symantec Operating System: Windows UNIX variants (UNIX, Linux, OSX) Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121120_00 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Advisories Relating to Symantec Products - Symantec Updates HP Autonomy Keyview Filter Issues Affecting Multiple Vendors SYM12-018 November 20, 2012 Revision History None Severity Medium to High (based on the CVSS2 scoring below) High CVSS V2 9.33 (for SMSME and SMSDOM, running the Autonomy Verity Keyview Filter in-process or out-of-process with application-level privileges.) Impact: 10 Exploitability 8.588 CVSS V2 Vector AV: N/AC: M/Au: N/C:C/I:C/A:C Medium CVSS V2 4.3 (for SBG/SMG and DLP, running the Autonomy Verity Keyview Filter out-of-process with least privileges.) Impact: 2.862 Exploitability: 8.588 CVSS V2 Vector AV:N/AC:M/Au:N/C:N/I:N/A:P Overview Multiple security issues have been identified in HP Autonomy's Keyview Content Filter libraries. Symantec has updated the Keyview modules being shipped with Symantec products in response to these issues. Affected Products Product Version Build Solution(s) Symantec Mail Security 6.5.x All SMSMSE 6.5.8 (see mitigation for Microsoft Exchange workarounds below to disable SMSMSE) content filtering as an interim) Upgrade to SMSMSE 7.0 (When Available) Symantec Mail Security 8.1.x All SMSDOM 8.1.1 (see mitigation for Domino (SMSDOM) workarounds below to disable content filtering as an interim) Symantec Messaging 9.5.x All Symantec Messaging Gateway 10.0.1 Gateway (SMG) Symantec Data Loss 11.x All Symantec DLP 11.6.1 for Windows Prevention(DLP) Enforce/Detection Servers for Windows Symantec Data Loss 11.x All Symantec DLP 11.6.1 for Linux Prevention Enforce/Detection Servers for Linux Symantec Data Loss 11.x All Symantec DLP 11.6.1 Agent Prevention Endpoint Agents NOTE: Disabling content filtering as described in the mitigation section below does NOT interfere with the primary functionality of Symantec's products, e.g., anti-virus or anti-spam. Details Symantec was notified of multiple security issues to include possible denial of service process crash and potential code execution vulnerabilities identified in several of the file parsing libraries in HP's Autonomy Verity Keyview Filter shipped with the Symantec products identified above. These vulnerabilities can potentially be targeted during the content filtering process run against maliciously formatted incoming files. Attempted exploitation results, depending on the product involved in the processing, range from no impact to a crash of the child process with negligible impact, an application crash or, in specific instances, potential elevated privilege application compromise. Symantec Response Symantec product engineers worked closely with HP's Autonomy Support to obtain and provide updates to address all issues. Symantec Mail Security for Microsoft Exchange runs the Autonomy Keyview Filter as part of the application process. A successful exploitation attempt could potentially result in a denial of service application crash or possibly a privilege compromise in the context of the application. Symantec Mail Security for Domino runs the Autonomy Keyview Filter out-of-process by default preventing attack attempts from crashing the application. However, the process runs in the context of the application which could potentially allow a possible privileged application compromise from a successful exploit attempt. Customers running Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino should update to the non-vulnerable versions identified above or disable content filtering by following the mitigation workarounds described below until updates can be obtained and deployed. In the Symantec Messaging Gateway and Symantec Data Loss Prevention products, the Autonomy Keyview content filtering process has been separated from the Symantec applications (out-of-process) and runs with least privilege. This out-of-process method specifically addresses these types of security concerns. Any attempt to exploit these issues results in process termination of the offending thread and an error message generated to and handled by the specific application(s). However, non-vulnerable versions of the Verity Filter have been updated and made available to customers. Customers may still disable content filtering through the temporary mitigation workarounds described below until updates can be obtained and deployed. Symantec knows of no exploitation of or adverse customer impact from these issues. Update Information Updates will be available through customers' normal support/download locations. SMS for Domino and Microsoft Exchange updates will be available through the Platinum Support Web Sitefor Platinum customers or through the FileConnect - -Electronic Software Distribution web site. Symantec DLP updates will be available for download through secure file exchange. Workaround/Mitigations Temporary Workaround to disable content filtering in Symantec Mail Security for Microsoft Exchange Installations of SMS for Microsoft Exchange that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange would be susceptible only if the attachment content scanning option is enabled. As an interim workaround, administrators may fully disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. To disable the content filtering rules for SMS for Microsoft Exchange: * Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules * Ensure that all rules using attachment content are "disabled" Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed: * Go to the Verity bin folder of the product installation, e.g. SMSMSE -> Verity -> bin * Locate the affected binary, e.g. vsd.dll * Rename the binary, e.g. vsd_disabled.dll. * Content filtering will now NOT be performed for those attachments previously read by the affected reader(s). Temporary Workaround to disable content filtering in Symantec Mail Security for Domino Installations of SMS for Domino that do not utilize the Content Filtering capabilities of the product are not susceptible to this issue. SMS for Domino would be susceptible only if the attachment content scanning option is enabled. As an interim workaround, administrators may disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until an updated release is installed. To disable content filtering rules for Symantec Mail Security for Domino: * Select the "Content Filtering" tab to display the list of current enabled rules * Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red "X" disabling the rule Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed: * Go to the Verity bin folder of the product installation, e.g. SMSDOM -> Server -> Verity -> bin * Locate the affected binary, e.g. vsd.dll * Rename the binary, e.g. vsd_disabled.dll. * Content filtering will now NOT be performed for those attachments previously read by the affected reader(s). Temporary Workaround to disable content filtering in Symantec Messaging Gateway Risk from these issues are limited on installations of Symantec Messaging Gateway in which the attachment content scanning option is enabled. However, installations that do not utilize the Content Filtering capabilities of the product are not impacted by these issues. As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. To disable the content filtering rules for Symantec Messaging Gateway: * Log into the management console and navigate to the SMTP Scanning Settings screen * Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving * Disable any Compliance policies with a condition: 1. "If any part of the message matches" (or "does not match") a regular expression, pattern or Record Resource. 2. "If text in Attachment content part of the message . . . " Best Practices As part of normal best practices, Symantec strongly recommends: * Restrict access to administration or management systems to privileged users. * Restrict remote access, if required, to trusted/authorized systems only. * Run under the principle of least privilege where possible to limit the impact of exploit by threats. * Keep all operating systems and applications updated with the latest vendor patches. * Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. * Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities Credit Will Dormann with CERT/CC for identifying and reporting these issues in HP's Autonomy Keyview content filter. Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines. Please contact email@example.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to firstname.lastname@example.org. The Symantec Product Security PGP key can be found at the location below. Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below. Symantec Vulnerability Response Policy http://whttp://www.symantec.com/security/Symantec-Vulnerability-Management-Key.ascww.symantec.com/security/Symantec-Product-Vulnerability-Response.pdf Symantec Product Vulnerability Management PGP Key http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc Copyright (c) 2012 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from email@example.com Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, Symantec Product Security, and firstname.lastname@example.org are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. * Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information. Last modified on: November 20, 2012 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUK2BnO4yVqjM2NGpAQJ0Mw//Y0hMnree3+ESWYZiovoLimfSp4yKzKnD HRm62L3cQ36rJp0+Jlwm82+sZjvF7hN2An4CREczKKXjnXd/WhtcBD97MjIeWZHu CjCxazHvtTMH3XAWkNRUkfa+0FTKEaBWzJ+3fCWCszhTLRuC8iDXJfEoEMY5OFtG b49x7a+M19q5d8LkYXi7P+qKzqc72J8XGY2OsMbuFjuScycgLLwOGab8zdpcEKcR TAHIhym+ebHNRFhTWSCdcrTtHK77e22l3hI/yIzFh+2iDfm9PzKr396heFEO0o7C csEflYM6MS8XaGnrLWkiDTgXjBMeiBI4L+yyQKCnRza2MUCX4tNlhYwhnsVYd42z OzvpYnKoHTY3D/t1L8xIeC0TfqNmBehJdxLaHttjIVZKaxA6WXDFPtUMRNRKoxsq ihz8cs6U4AanzvvX1v+C3RZDT4u9gLp/pgodcbXfjYI39IkmbJEByL8AVg9ktQ5R ESRL1L/EsWJDPuIdtV1Yfxa5q54nPrCh4xePIVNf8mUPUqCCm6zn82MqwAdLFy9j vZbx9kgZQB36pRYEL1Q7VGc4v9FSkKEB+fWmqcU8qLpKhohxDKisNKZ1U/UGFuqf 33ZePFB3zHfCTJkQaBt+IeZBAfnjhosC4FMhDzxWDN+9Fikyor3uz3C8ChrZub54 jdbs4EfGPKE= =zNtI -----END PGP SIGNATURE-----