Multi-Vendor Autonomy Verity Keyview Filter Multiple Issues

1236

05 March 2020

06 October 2011

CLOSED

HIGH

9.33

SUMMARY

 

Multiple sources have identified several security issues in Autonomy’s Verity Keyview Content Filter libraries.  Symantec has updated the Keyview modules being shipped with Symantec products to address these issues.

AFFECTED PRODUCTS

 

Product

Version

Build

Solution(s)

Symantec Mail Security for Microsoft Exchange (SMSMSE)

6.x

All

 SMSMSE 6.5.6 or SMSMSE 6.0.13  (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Mail Security for Domino (SMSDOM)

8.x

All

SMSDOM 8.0.9  (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Mail Security for Domino

7.5.x

All

SMSDOM 7.5.12 (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Brightmail and Messaging Gateway (SBG/SMG)

9.5 and earlier

All

 

Symantec Messaging Gateway 9.5.1

Symantec Data Loss Prevention(DLP) Enforce/Detection Servers for Windows

10.x and earlier

All

Symantec DLP 11.1.1 for Windows

Symantec Data Loss Prevention Enforce/Detection Servers for Linux

10.x and earlier

All

Symantec DLP 11.1.1 for Linux

Symantec Data Loss Prevention Endpoint Agents

10.x and earlier

All

Symantec DLP 11.1.1 Agent

Symantec Data Loss Prevention Enforce/Detection Servers for Windows

11.x

All

Symantec DLP 11.1.1 for Windows

Symantec Data Loss Prevention Enforce/Detection Servers for Linux

11.x

All

Symantec DLP 11.1.1 for Linux

Symantec Data Loss Prevention Endpoint Agents

11.x

All

Symantec DLP 11.1.1 Agent

 

NOTE:  Disabling content filtering as described in the mitigation section below does NOT interfere with the primary functionality of Symantec’s products, e.g., anti-virus or anti-spam.

ISSUES

 

Medium to High (based on the CVSS2 scoring below)

High
CVSS V2 9.33 (for SMSME and SMSDOM, running the Autonomy Verity Keyview Filter in-process or out-of-process with application-level privileges.)

Impact: 10 Exploitability 8.588

CVSS V2 Vector AV: N/AC: M/Au: N/C:C/I:C/A:C

Medium

CVSS  V2  4.3 (for SBG/SMG and DLP,  running the Autonomy Verity Keyview Filter out-of-process with least privileges.)

Impact: 2.862 Exploitability: 8.588

CVSS V2 Vector AV:N/AC:M/Au:N/C:N/I:N/A:P

CVE ID Assigned

File Type / KV component

Credited To

BID

CVE-2011-1512

Excel Doc/xsslr

CoreLabs Research

BID 48017

CVE-2011-1213

Excel Doc/xsslr

CoreLabs Research

BID 48018

CVE-2011-1214

LZH Archive/lzhsr

Binaryhouse.net working through iDefense Labs

BID 48019

CVE-2011-1215

RTF attach/rtfsr

Binaryhouse.net working through iDefense Labs

BID 48020

CVE-2011-1216

Applix Spreadsheet/assr

Binaryhouse.net working through iDefense Labs

BID 48021

CVE-2011-1218

Zip File Viewer/kvarcve

Binaryhouse.net working through iDefense Labs

BID 48016

CVE-2011-0337

Ichitaro Speed Reader doc/ jtdsr

Secunia Research

BID 49898

CVE-2011-0338 

Ichitaro Speed Reader doc/jtdsr

Secunia Research

BID49899

CVE-2011-0339

Ichitaro Speed Reader doc/jtdsr

Secunia Research

BID49900

 

Multiple File Types

CERT.org

 

MITIGATION

 

Details
Symantec was notified of multiple security issues to include possible denial of service process crash and potential code execution vulnerabilities identified in several of the file parsing libraries in the Autonomy Verity Keyview Filter shipped with the Symantec products identified above.  These vulnerabilities can potentially be targeted during the content filtering process run against maliciously formatted incoming files.

 Attempted exploitation results, depending on the product involved in the processing, range from no impact to a crash of the child process with negligible impact, an application crash or, in specific instances, potential elevated privilege application compromise.

 

Symantec Response
Symantec product engineers worked closely with Autonomy to obtain and provide updates to address all issues.

Symantec Mail Security for Microsoft Exchange runs the Verity Filter as part of the application process. A successful exploitation attempt could potentially result in a denial of service application crash or possibly a privilege compromise in the context of the application. 

Symantec Mail Security for Domino runs the Verity Filter out-of-process by default preventing attack attempts from crashing the application.  However, the process runs in the context of the application which could potentially allow a possible privileged application compromise from a successful exploit attempt.  

Customers running Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino should update to the non-vulnerable versions identified above or disable content filtering by following the mitigation workarounds described below until updates can be obtained and deployed.

In the Symantec BrightMail/Messaging Gateway and Symantec Data Loss Prevention products, the Autonomy Verity KeyView content filtering process has been separated from the Symantec applications (out-of-process) and runs with least privilege. This out-of-process method specifically addresses these types of security concerns.

Any attempt to exploit these issues results in process termination of the offending thread and an error message generated to and handled by the specific application(s). However, non-vulnerable versions of the Verity Filter have been updated and made available to customers. Customers may still disable content filtering through the temporary mitigation workarounds described below until updates can be obtained and deployed.

Symantec knows of no exploitation of or adverse customer impact from these issues.

 

Update Information

Updates will be available through customers’ normal support/download locations.

SMS for Domino and Microsoft Exchange updates will be available through the Platinum Support Web Sitefor Platinum customers or through the FileConnect -Electronic Software Distribution web site.

Symantec DLP updates will be available for download through secure file exchange.

 

Workaround/Mitigations

Temporary Workaround to disable content filtering in Symantec Mail Security for Microsoft Exchange 
Installations of SMS for Microsoft Exchange that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may fully disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

  • To disable the content filtering rules for SMS for Microsoft Exchange:
  • Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules
  • Ensure that all rules using attachment content are "disabled"
  • Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:
  • Go to the Verity bin folder of the product installation, e.g. SMSMSE -> Verity -> bin
  • Locate the affected binary, e.g. lzhsr.dll
  • Rename the binary, e.g. lzhsr_disabled.dll.
  • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

 

Temporary Workaround to disable content filtering in Symantec Mail Security for Domino
Installations of SMS for Domino that do not utilize the Content Filtering capabilities of the product are notsusceptible to this issue. SMS for Domino would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until an updated release is installed.

To disable content filtering rules for Symantec Mail Security for Domino

  • Select the "Content Filtering" tab to display the list of current enabled rules
  • Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red "X" disabling the rule
  • Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:
  • Go to the Verity  bin folder of the product installation, e.g. SMSDOM -> Server -> Verity -> bin
  • Locate the affected binary, e.g. lzhsr.dll
  • Rename the binary, e.g. lzhsr_disabled.dll.
  • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

Temporary Workaround to disable content filtering in Symantec Brightmail Gateway or Symantec Messaging Gateway 
Risk from these issues are limited on installations of Symantec Brightmail or Symantec Messaging Gateway in which the attachment content scanning option is enabled.  However, installations that do not utilize the Content Filtering capabilities of the product are not affected by these issues.

As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for either Symantec Brightmail Gateway or Symantec Messaging Gateway:

  • Log into the management console and navigate to the SMTP Scanning Settings screen
  • Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving
  • Disable any Compliance policies with a condition:
    • "If any part of the message matches" (or "does not match") a regular expression, pattern or Record Resource.
    • "If text in Attachment content part of the message . . . "

 

Best Practices
As part of normal best practices, Symantec strongly recommends:

  • Restrict access to administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Run under the principle of least privilege where possible to limit the impact of exploit by threats.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

ACKNOWLEDGEMENTS

 

Will Dormann and Jared Allar with CERT/CC identified multiple issues in the Autonomy Keyview module. Additional issues in the Autonomy Keyview module were identified by Secunia Research, Binaryhouse.net working through iDefense Labs and Core Technologies.

REFERENCES

 

BID: Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID) to these issues for inclusion in the Security Focus vulnerability database. BIDs have been assigned as indicated below
CVE: These issues are a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE IDs as indicated below.