Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass
1129
06 March 2020
11 July 2007
CLOSED
HIGH
9.3
SUMMARY
Two vulnerabilities have been identified in the Symantec Decomposer component used to decompose some types of archive content while scanning for malicious content.
Risk Impact
High
|
Remote Access |
Yes |
|
Local Access |
No |
|
Authentication Required |
No |
|
Exploit publicly available |
No |
AFFECTED PRODUCTS
|
Product |
Version |
Builds |
Update To |
|
Symantec Mail Security |
8200 |
All |
5.0.0.24 |
|
Symantec Mail Security for Microsoft Exchange |
4.6.7 and earlier |
All |
4.6.8.120 |
|
5.0.4.and earlier |
All |
5.0.5 and higher |
|
|
6.0.0 |
All |
6.0.1 or later |
|
|
Symantec Mail Security for Domino NT |
4.1.5 and earlier |
All |
4.1.9.37 |
|
5.1.2.28 and earlier |
All |
5.1.4.32 |
|
|
Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) |
3.0.12 and earlier |
All |
3.2.2.27 † |
|
Symantec Scan Engine |
5.0.1 and earlier |
All |
5.1.4.24 |
|
Symantec AntiVirus Scan Engine |
4.1.8 and earlier |
All |
4.3.18.43 |
|
4.3.12 and earlier |
All |
4.3.17 or later |
|
|
Symantec AntiVirus Scan Engine for MS ISA |
4.3.12 and earlier |
All |
4.3.17 or later |
|
Symantec AntiVirus Scan Engine for MS Sharepoint |
4.3.12 and earlier |
All |
4.3.17 or later |
|
Symantec AntiVirus Scan Engine for Messaging |
4.3.12 and earlier |
All |
4.3.17 or later |
|
Symantec AntiVirus for Network Attached Storage |
4.3.12 and earlier |
All |
4.3.17 or later |
|
Symantec AntiVirus Scan Engine for Clearswift |
4.3.12 and earlier |
All |
4.3.17 or later |
|
Symantec AntiVirus Scan Engine for Caching |
4.3.12 and earlier |
All |
4.3.17 or later |
|
Symantec Client Security ††† |
3.X |
All |
SCS 3.1 MR5 MP1 (build 3.1.5.5010)†† |
|
2.X |
All |
SCS 2.0 MR6-MP1 (build 2.0.6.1100)†† |
|
|
1.X |
All |
||
|
Symantec Web Security |
3.0.1.76 and earlier |
All |
3.0.1.85 |
|
Symantec Gateway Security 1600 Series |
3.0.1 |
All |
Update F Apply Hotfix SGS1600-3.0.1-enga2007080100 |
|
Symantec Gateway Security 5000 Series |
3.0.1 |
All |
Update F Apply Hotfix SGS5000-3.0.1-enga2007080100 |
|
Symantec Gateway Security 5400 Series |
2.0.1 |
All |
Upgrade to 3.0.1 F Apply SGS5000-3.0.1-enga2007080100 |
|
Symantec Brightmail AntiSpam |
6.0.x |
All |
6.05 |
|
5.5 |
All |
||
|
4.x |
All |
||
|
Symantec AntiVirus Corporate Edition ††† |
10.X |
All |
SAV 10.1 MR5 MP1 (build 10.1.5.5010)†† |
|
9.X |
All |
SAV 9.0 MR6-MP1 (build 9.0.6.1100) †† |
|
|
8.X |
All |
||
|
Symantec AntiVirus for Macintosh |
10.X |
All |
Update to any definition after 10/1/2006 |
|
Symantec Web Security for Microsoft ISA 2004 |
5.0 |
All |
5.0.3 |
|
Symantec Mail Security for SMTP |
5.0.0 Solaris |
All |
Patch 175 |
|
5.0.0 Linux |
All |
Patch 175 |
|
|
5.0.0 Windows |
All |
Patch 176 |
|
|
5.0.1 |
All |
Patch 181 |
|
|
4.1.15 and earlier |
All |
4.1.16 |
† Symantec AntiVirus/Filtering for Domino MPE is no longer supported. Customers are encouraged to upgrade to Symantec Mail Security for Domino MPE
†† Customers using the SAV CE Linux client should upgrade to version 1.0.2-75. This build is available by downloading the latest SAV CE 10.X or SCS 3.X build from FileConnect.
†††Symantec has released a tool that will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security
For more information and to download the tool, please read the following document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071111591448
Affected Consumer Products
|
Product |
Version |
Builds |
Update To |
|
Norton AntiVirus |
2006 |
All |
Run LiveUpdate in Interactive Mode |
|
2005 |
All |
Run LiveUpdate in Interactive Mode |
|
|
2004 |
All |
Run LiveUpdate in Interactive Mode |
|
|
Norton Internet Security |
2006 |
All |
Run LiveUpdate in Interactive Mode |
|
2005.5 AntiSpyware Edition |
All |
Run LiveUpdate in Interactive Mode |
|
|
2005 |
All |
Run LiveUpdate in Interactive Mode |
|
|
2004 |
All |
Run LiveUpdate in Interactive Mode |
|
|
Norton SystemWorks |
2006 |
All |
Run LiveUpdate in Interactive Mode |
|
2005 |
All |
Run LiveUpdate in Interactive Mode |
|
|
2004 |
All |
Run LiveUpdate in Interactive Mode |
|
|
Norton Personal Firewall |
2006 |
All |
Run LiveUpdate in Interactive Mode |
|
Norton AntiVirus for Macintosh |
10.X |
All |
Update to any definition after 10/1/2006 |
|
9.X |
All |
||
|
Norton Internet Security for Macintosh |
3.X |
All |
Update to any definition after 10/1/2006 |
|
Norton SystemWorks for Macintosh |
3.X |
All |
Update to any definition after 10/1/2006 |
ADDITIONAL PRODUCT INFORMATION
Products Not Affected:
|
Product |
Version |
Builds |
|
Symantec AntiVirus for HandHelds - Corporate Edition |
All |
All |
|
Symantec AntiVirus for Handhelds |
All |
All |
|
Symantec Client Security for Nokia |
All |
All |
|
Symantec Enterprise Firewall |
8.0 |
All |
|
Symantec Clientless VPN Gateway 4400 Series |
5.0 |
All |
|
Symantec Firewall / VPN Appliance |
100/200 |
All |
|
Symantec Gateway Security 300/400 Series |
2.0 |
All |
|
Norton AntiVirus for Macintosh |
7.X |
All |
|
Norton AntiVirus for Macintosh |
8.X |
All |
|
Norton Internet Security for Macintosh |
2.X |
All |
|
Norton SystemWorks for Macintosh |
2.X |
All |
|
Norton360 |
All |
All |
|
Symantec AntiVirus Corporate Edition |
10.2 |
All |
|
Norton AntiVirus |
2007 |
All |
|
Norton Internet Security |
2007 |
All |
|
Norton System works |
2007 |
All |
ISSUES
Details
The first vulnerability is related to the decomposition of RAR files. Modifying the RAR file header in a specific way, causes the decomposer to enter an infinite loop causing a Denial of Service.
The second vulnerability is related to the decomposition of CAB files. The Symantec Decomposer fails to perform proper bounds checks when copying from the CAB archive. This may result in the possibility of arbitary code execution on the vulnerable system.
NOTE:
- Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-3699 for the RAR issue and CVE-2007-0447 for the CAB file issue
MITIGATION
Symantec response
Symantec engineers have verified and corrected these issues in all currently supported products. Updates are available for supported products. Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.
Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.
Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of (product/component). However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:
- Open any installed Norton product
- Click on LiveUpdate in the GUI
To perform a manual update using Symantec LiveUpdate, users should:
- Open any installed Symantec product
- Click on LiveUpdate in the toolbar
- Run LiveUpdate until all available Symantec product updates are downloaded and installed
To date, Symantec is not aware of any exploits for these issues.
Best Practices
As part of normal best practices, Symantec strongly recommends:
- Restrict access to administration or management systems to privileged users.
- Restrict remote access, if required, to trusted/authorized systems only.
- Run under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
ACKNOWLEDGEMENTS
Symantec would like to thank 3COM, and the Zero Day Initiative for reporting these issues and providing full coordination while Symantec resolved them.
REVISION
Revision History
Removed invalid CVE information
Added missing product information
Updated Symantec AntiVirus Corporate addition version information
Added information and link to new update tool for Symantec AntiVirus and Symantec Client Security
Updated Symantec Gateway Security version and update information