Symantec Decomposer Engine Multiple Parsing Vulnerabilities

1371

05 March 2020

28 June 2016

CLOSED

HIGH

8.6

SUMMARY

 

Symantec is aware of buffer overflow and memory corruption findings in the AntiVirus Decomposer engine used in various configurations by multiple Symantec products.

FAQ on Impact to Symantec Products:

https://support.symantec.com/en_US/article.INFO3807.html

AFFECTED PRODUCTS

 

Affected Enterprise Products

 

Product

Version

Solution(s)

Advanced Threat Protection (ATP)

2.0.3 and prior

Updated via definition updates

Symantec Data Center Security:Server (SDCS:S)

6.0
6.0MP1
6.5
6.5MP1
6.6
6.6MP1

Updated via definition updates

Symantec Web Security .Cloud

 

Updated via hosted software update, customer interface not required

Email Security Server .Cloud (ESS)

 

Updated via hosted software update, customer interface not required

Symantec Web Gateway

 

Updated via definition updates

Symantec Endpoint Protection (SEP)

12.1.6 MP4 and prior

Update to SEP 12.1 RU6 MP5
https://support.symantec.com/en_US/article.TECH103088.html

Symantec Endpoint Protection for Mac (SEP for Mac)

12.1.6 MP4 and prior

Updated via definition updates

Symantec Endpoint Protection for Linux (SEP for Linux)

12.1.6 MP4 and prior

Update to SEP for Linux

 

12.1 RU6 MP5
https://support.symantec.com/en_US/article.TECH103088.html

Symantec End Point Protection, Small Business Enterprise (SEP SBE) Desktop and Laptop (Hosted)

Cloud Agent: 2.03.71.2618 and prior
Protection Agent: NIS-22.5.4 and prior

Cloud Agent: 3.00.00.2701
Protection Agent: Automatic software update to NIS-22.6.4 available (Follow instructions in this support article)

SEP SBE for Server

Cloud Agent: 2.03.71.2618 and prior
Protection Agent: SEP-12.1.4013.4013 and prior

Cloud Agent: 3.00.00.2701
Protection Agent: Software update to SEP-12.1.7004.6500 available (Follow instructions in this support article to complete the update)

SEP SBE for Mac

Protection Updates prior to July 13, 2016

Updated via definition updates July 13, 2016 or later

Symantec Endpoint Protection Small Business Edition 12.1 (On-Premises) End of Life product

12.1.5 and prior

Follow instructions in this support article

Symantec Protection Engine (SPE)

7.0.5 and prior

Update to SPE 7.0.5 HF01
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3791.html

7.5.4 and prior

SPE 7.5.4 (AWS platform) should update to SPE 7.5.4 HF01
SPE 7.5.3 and prior should Update to SPE 7.5.3 HF03 
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3791.html

7.8.0

Update to SPE 7.8.0 HF01
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3791.html

Symantec Protection for SharePoint Servers (SPSS)

6.03 to 6.05

Update to Hotfix:
SPSS_6.0.3_To_6.0.5_HF_1.5
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3795.html

6.0.6 and prior

Update to Hotfix:
SPSS_6.0.6_HF_1.6
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3795.html

Symantec Mail Security for Microsoft Exchange (SMSMSE)

6.5.8

Update to Hotfix:
SMSMSE_6.5.8_3968140_HF1.3
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3794.html

7.0.4 and prior

Update to Hotfix:
SMSMSE_7.0_3966002_HF1.1
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3794.html

7.5.4 and prior

Update to Hotfix:
SMSMSE_7.5_3966008_VHF1.2
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3794.html

Symantec Mail Security for Domino (SMSDOM)

8.0.9 and prior

Update to Hotfix:
SMSDOM_8.0.9_HF1.1
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3793.html

8.1.3 and prior

Update to Hotfix:
SMSDOM_8.1.3_HF1.2
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3793.html

CSAPI

10.0.4 and prior

Update to CSAPI 10.0.4 HF01

Symantec Message Gateway (SMG)

SMG 10.6.1-3 and prior

Update to SMG 10.6.1-4

Symantec Message Gateway for Service Providers (SMG-SP)

10.6

SMG-SP 10.6, patch 253

10.5

SMG-SP 10.5, patch 254

 

Affected Norton Products

 

Norton Product Family

All Prior to NGC 22.7

Updated through LiveUpdateTM

Norton AntiVirus

Norton Security

Norton Security with Backup

Norton Internet Security

Norton 360

Norton Security for Mac

All Prior to 13.0.2

Updated through LiveUpdateTM

Norton Power Eraser (NPE)

All Prior to 5.1

Updated through LiveUpdateTM

Norton Bootable Removal Tool (NBRT)

All Prior to 2016.1

New Release available on Download

ISSUES

 

Severity (CVSS v2 and CVSS v3)

 

CVSS

 

Base Score

CVSS Vector

RAR decompression memory access violation - High

v2 7.8

AV:N/AC:L/Au:N/C:N/I:N/A:C

v3 7.5

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Dec2SS buffer overflow - High

v2 9.0

AV:N/AC:L/Au:N/C:P/I:P/A:C

v3 8.6

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Dec2LHA buffer overflow - High

v2 9.0

AV:N/AC:L/Au:N/C:P/I:P/A:C

v3 8.6

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CAB decompression memory corruption - High

v2 7.8

AV:N/AC:L/Au:N/C:N/I:N/A:C

v3 7.5

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

MIME message modification memory corruption - High

v2 7.8

AV:N/AC:L/Au:N/C:N/I:N/A:C

v3 7.5

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

TNEF integer overflow - Low

0.0

AV:N/AC:L/Au:N/C:N/I:N/A:N

ZIP decompression memory access violation - High

v2 7.8

AV:N/AC:L/Au:N/C:N/I:N/A:C

v3 7.5

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

 

CVE

BID

Description

CVE-2016-2207

91434

RAR decompression memory access violation

CVE-2016-2209

91436

Dec2SS buffer overflow

CVE-2016-2210

91437

Dec2LHA buffer overflow

CVE-2016-2211

91438

CAB decompression memory corruption

CVE-2016-3644

91431

MIME message modification memory corruption

CVE-2016-3645

91439

TNEF integer overflow

CVE-2016 -3646

91435

ZIP decompression memory access violation

 

MITIGATION

 

Details

 

Parsing of maliciously-formatted container files may cause memory corruption, integer overflow or buffer overflow in Symantecs Decomposer engine. Successful exploitation of these vulnerabilities typically results in an application-level denial of service but could result in arbitrary code execution. An attacker could potentially run arbitrary code by sending a specially crafted file to a user.

 

In the TNEF unpacker, the overflow does not result in any detrimental actions due to underlying code. However this was an exposure due to improper implementation that could potentially be leveraged further, at some point, by a malicious individual. As such, it also was addressed in the engine update.

 

Symantec Response 
Symantec has verified these issues and addressed them in product updates as identified in the solution portion of the affected products matrix above. We have also added additional checks to our Secure Development LifeCycle to mitigate similar issues in future.

 

Symantec is not aware of these vulnerabilities being exploited in the wild.

 

To fully mitigate the identified vulnerabilities, Symantec recommends applying the required patches to the affected products as soon as possible. This is the only means to ensure that installed products cannot be exploited. Symantec has released the following list of AV signatures in an effort to block/detect attempts at exploitation.

Vulnerabilities

Signatures

LiveUpdate rev.

RAR decompression memory access violation

EXP.CVE-2016-2207

20160628.037

Dec2SS buffer overflow

EXP.CVE-2016-2209

20160628.037

Dec2LHA buffer overflow

EXP.CVE-2016-2210

20160628.037

CAB decompression memory corruption

EXP.CVE-2016-2211

20160628.037

MIME message modification memory corruption

EXP.CVE-2016-3644

20160628.037

TNEF integer overflow

EXP.CVE-2016-3645

20160628.037

ZIP decompression memory access violation

EXP.CVE-2016-3646

20160628.037


Update Information 
All Norton products have been updated through LiveUpdateTM. Customers of Symantec Enterprise products should check the chart below to determine which products have been updated automatically and which require product updates.

 

Identifying Product Update:

 

Product

Identifying Product Update

Advanced Threat Protection (ATP)

For an appliance which role is Network Scanner, ensure Latest Definition Updates Applied

Login to ATP web ui > Setting > Appliance > choose appliance which has 'Scanner' role

1) 'SCANNING' field is shown as 'Enabled'
2) 'AV ENGINE' field is observed with a definition revision number 20160628.037 or greater

Symantec Web Security (SWS)

Ensure Latest Definition Updates Applied

Symantec Data Center Security:Server (SDCS:S)

Ensure Latest Definition Updates Applied

Symantec Endpoint Protection (SEP)

 

Symantec Endpoint Protection for Linux (SEP for Linux)

all platforms - Help -> About will reflect the MP5 release version which will be at least 12.1.7004.6500

Symantec Endpoint Protection for Mac (SEP for Mac)

Apply definitions dated June 28th, 2016 rev. 37 or later.

https://support.symantec.com/en_US/article.TECH235207.html

Symantec Protection Engine (SPE)

Support will provide notification regarding location, deployment and verification steps

 

https://support.symantec.com/en_US/article.INFO3791.html

Symantec Protection for SharePoint Servers (SPSS)

Support will provide notification regarding location, deployment and verification steps

 

https://support.symantec.com/en_US/article.INFO3795.html

Symantec Mail Security for Microsoft Exchange (SMSMSE)

Support will provide notification regarding location, deployment and verification steps

 

https://support.symantec.com/en_US/article.INFO3794.html

Symantec Mail Security for Domino (SMSDOM)

Support will provide notification regarding location, deployment and verification steps

 

https://support.symantec.com/en_US/article.INFO3793.html

CSAPI

Support will provide notification regarding location, deployment and verification steps

Symantec Message Gateway (SMG)

Current installed version should be 10.6.1-4

Symantec Message Gateway for Service Providers (SMG-SP)

Ensure installed version of updated binary files have the same checksum specified in the patch release notes

 

NOTE: If you require additional information on how to update your Symantec product, see https://support.symantec.com/en_US/article.TECH125408.html

 

Norton Family:

 

Product update is delivered via LiveUpdateTM. LiveUpdateTM runs automatically at regular intervals or users can run an interactive LiveUpdateTM.

 

To perform LiveUpdateTM interactively, users should:

 

  • Access LiveUpdateTM in the product

  • Run LiveUpdateTM until all available updates are downloaded and installed

 

The Help -> About Box in the product UI will show the version 22.7.0.x if the update has been successfully applied.

 

Best Practices

 

As part of normal best practices, Symantec strongly recommends the following:

 

  • Restrict access to administrative or management systems to authorized privileged users.

  • Restrict remote access, if required, to trusted/authorized systems only.

  • Run under the principle of least privilege where possible to limit the impact of potential exploit.

  • Keep all operating systems and applications current with vendor patches.

  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.

  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

ACKNOWLEDGEMENTS

 

Symantec would like to thank Tavis Ormandy with Google's Project Zero, for reporting these to us and working closely with us as we addressed the issues.

REVISION

 

7/15/2016

  • Additional updates to affected products table for SEP SBE

6/29/2016

  • Protection signatures added to Symantec Response section

  • Changes to the affected products tables.