Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass

1129

06 March 2020

11 July 2007

CLOSED

HIGH

9.3

SUMMARY

 

Two vulnerabilities have been identified in the Symantec Decomposer component used to decompose some types of archive content while scanning for malicious content.

Risk Impact
High

Remote Access

Yes

Local Access

No

Authentication Required

No

Exploit publicly available

No

 

AFFECTED PRODUCTS

 

Product

Version

Builds

Update To

Symantec Mail Security

8200

All

5.0.0.24

Symantec Mail Security for Microsoft Exchange

4.6.7 and earlier

All

4.6.8.120

5.0.4.and earlier

All

5.0.5 and higher

6.0.0

All

6.0.1 or later

Symantec Mail Security for Domino NT

4.1.5 and earlier

All

4.1.9.37

5.1.2.28 and earlier

All

5.1.4.32

Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris)

3.0.12 and earlier

All

3.2.2.27 †

Symantec Scan Engine

5.0.1 and earlier

All

5.1.4.24

Symantec AntiVirus Scan Engine

4.1.8 and earlier

All

4.3.18.43

4.3.12 and earlier

All

4.3.17 or later

Symantec AntiVirus Scan Engine for MS ISA

4.3.12 and earlier

All

4.3.17 or later

Symantec AntiVirus Scan Engine for MS Sharepoint

4.3.12 and earlier

All

4.3.17 or later

Symantec AntiVirus Scan Engine for Messaging

4.3.12 and earlier

All

4.3.17 or later

Symantec AntiVirus for Network Attached Storage

4.3.12 and earlier

All

4.3.17 or later

Symantec AntiVirus Scan Engine for Clearswift

4.3.12 and earlier

All

4.3.17 or later

Symantec AntiVirus Scan Engine for Caching

4.3.12 and earlier

All

4.3.17 or later

Symantec Client Security †††

3.X

All

SCS 3.1 MR5 MP1 (build 3.1.5.5010)††

2.X

All

SCS 2.0 MR6-MP1 (build 2.0.6.1100)††

1.X

All

Symantec Web Security

3.0.1.76 and earlier

All

3.0.1.85

Symantec Gateway Security 1600 Series

3.0.1

All

Update F Apply Hotfix SGS1600-3.0.1-enga2007080100

Symantec Gateway Security 5000 Series

3.0.1

All

Update F Apply Hotfix SGS5000-3.0.1-enga2007080100

Symantec Gateway Security 5400 Series

2.0.1

All

Upgrade to 3.0.1 F Apply SGS5000-3.0.1-enga2007080100

Symantec Brightmail AntiSpam

6.0.x

All

6.05

5.5

All

4.x

All

Symantec AntiVirus Corporate Edition †††

10.X

All

SAV 10.1 MR5 MP1 (build 10.1.5.5010)††

9.X

All

SAV 9.0 MR6-MP1 (build 9.0.6.1100) ††

8.X

All

Symantec AntiVirus for Macintosh

10.X

All

Update to any definition after 10/1/2006

Symantec Web Security for Microsoft ISA 2004

5.0

All

5.0.3

Symantec Mail Security for SMTP

5.0.0 Solaris

All

Patch 175

5.0.0 Linux

All

Patch 175

5.0.0 Windows

All

Patch 176

5.0.1

All

Patch 181

4.1.15 and earlier

All

4.1.16

 

† Symantec AntiVirus/Filtering for Domino MPE is no longer supported. Customers are encouraged to upgrade to Symantec Mail Security for Domino MPE

†† Customers using the SAV CE Linux client should upgrade to version 1.0.2-75. This build is available by downloading the latest SAV CE 10.X or SCS 3.X build from FileConnect.

†††Symantec has released a tool that will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security

For more information and to download the tool, please read the following document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071111591448

Affected Consumer Products

Product

Version

Builds

Update To

Norton AntiVirus

2006

All

Run LiveUpdate in Interactive Mode

2005

All

Run LiveUpdate in Interactive Mode

2004

All

Run LiveUpdate in Interactive Mode

Norton Internet Security

2006

All

Run LiveUpdate in Interactive Mode

2005.5 AntiSpyware Edition

All

Run LiveUpdate in Interactive Mode

2005

All

Run LiveUpdate in Interactive Mode

2004

All

Run LiveUpdate in Interactive Mode

Norton SystemWorks

2006

All

Run LiveUpdate in Interactive Mode

2005

All

Run LiveUpdate in Interactive Mode

2004

All

Run LiveUpdate in Interactive Mode

Norton Personal Firewall

2006

All

Run LiveUpdate in Interactive Mode

Norton AntiVirus for Macintosh

10.X

All

Update to any definition after 10/1/2006

9.X

All

Norton Internet Security for Macintosh

3.X

All

Update to any definition after 10/1/2006

Norton SystemWorks for Macintosh

3.X

All

Update to any definition after 10/1/2006

 

ADDITIONAL PRODUCT INFORMATION

 

Products Not Affected:

Product

Version

Builds

Symantec AntiVirus for HandHelds - Corporate Edition

All

All

Symantec AntiVirus for Handhelds

All

All

Symantec Client Security for Nokia

All

All

Symantec Enterprise Firewall

8.0

All

Symantec Clientless VPN Gateway 4400 Series

5.0

All

Symantec Firewall / VPN Appliance

100/200

All

Symantec Gateway Security 300/400 Series

2.0

All

Norton AntiVirus for Macintosh

7.X

All

Norton AntiVirus for Macintosh

8.X

All

Norton Internet Security for Macintosh

2.X

All

Norton SystemWorks for Macintosh

2.X

All

Norton360

All

All

Symantec AntiVirus Corporate Edition

10.2

All

Norton AntiVirus

2007

All

Norton Internet Security

2007

All

Norton System works

2007

All

 

ISSUES

 

Details
The first vulnerability is related to the decomposition of RAR files. Modifying the RAR file header in a specific way, causes the decomposer to enter an infinite loop causing a Denial of Service.

The second vulnerability is related to the decomposition of CAB files. The Symantec Decomposer fails to perform proper bounds checks when copying from the CAB archive. This may result in the possibility of arbitary code execution on the vulnerable system.

NOTE:

  1. Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-3699 for the RAR issue and CVE-2007-0447 for the CAB file issue

MITIGATION

 

Symantec response
Symantec engineers have verified and corrected these issues in all currently supported products. Updates are available for supported products. Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.

Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.

Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of (product/component). However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:

  • Open any installed Norton product
  • Click on LiveUpdate in the GUI

 

To perform a manual update using Symantec LiveUpdate, users should:

  • Open any installed Symantec product
  • Click on LiveUpdate in the toolbar
  • Run LiveUpdate until all available Symantec product updates are downloaded and installed

To date, Symantec is not aware of any exploits for these issues.

 

Best Practices
As part of normal best practices, Symantec strongly recommends:

  • Restrict access to administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Run under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

ACKNOWLEDGEMENTS

 

Symantec would like to thank 3COM, and the Zero Day Initiative for reporting these issues and providing full coordination while Symantec resolved them.

REVISION

 

Revision History
Removed invalid CVE information
Added missing product information
Updated Symantec AntiVirus Corporate addition version information
Added information and link to new update tool for Symantec AntiVirus and Symantec Client Security
Updated Symantec Gateway Security version and update information