Symantec Updates HP Autonomy Keyview Filter Issues Affecting Multiple Vendors

1262

05 March 2020

20 November 2012

CLOSED

HIGH

9.33

SUMMARY

 

Multiple security issues have been identified in HP Autonomy's Keyview Content Filter libraries.  Symantec has updated the Keyview modules being shipped with Symantec products in response to these issues.

AFFECTED PRODUCTS

 

Product

Version

Build

Solution(s)

Symantec Mail Security for Microsoft Exchange (SMSMSE)

6.5.7 and earlier

All

 SMSMSE 6.5.8 (see mitigation workarounds below to disable content filtering as an interim) 

Upgrade to SMSMSE 7.0 (When Available)

Symantec Mail Security for Domino (SMSDOM)

8.1.0 and earlier

All

SMSDOM 8.1.1  (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Messaging Gateway (SMG)

9.5.x

All

 

Symantec Messaging Gateway 10.0.1

Symantec Data Loss Prevention(DLP) Enforce/Detection Servers for Windows

11.x

All

Symantec DLP 11.6.1 for Windows

Symantec Data Loss Prevention Enforce/Detection Servers for Linux

11,x

All

Symantec DLP 11.6.1 for Linux

Symantec Data Loss Prevention Endpoint Agents

11.x

All

Symantec DLP 11.6.1 Agent

NOTE:  Disabling content filtering as described in the mitigation section below does NOT interfere with the primary functionality of Symantec's products, e.g., anti-virus or anti-spam.

ISSUES

 

Medium to High (based on the CVSS2 scoring below)

High
CVSS V2 9.33 (for SMSMSE and SMSDOM, running the Autonomy Verity Keyview Filter in-process or out-of-process with application-level privileges.)

Impact: 10 Exploitability 8.588

CVSS V2 Vector AV: N/AC: M/Au: N/C:C/I:C/A:C

Medium

CVSS  V2  4.3 (for SBG/SMG and DLP,  running the Autonomy Verity Keyview Filter out-of-process with least privileges.)

Impact: 2.862 Exploitability: 8.588

CVSS V2 Vector AV:N/AC:M/Au:N/C:N/I:N/A:P
 

MITIGATION

 

Details

Symantec was notified of multiple security issues to include possible denial of service process crash and potential code execution vulnerabilities identified in several of the file parsing libraries in HP's Autonomy Verity Keyview Filter shipped with the Symantec products identified above. These vulnerabilities can potentially be targeted during the content filtering process run against maliciously formatted incoming files.

 Attempted exploitation results, depending on the product involved in the processing, range from no impact to a crash of the child process with negligible impact, an application crash or, in specific instances, potential elevated privilege application compromise.

 

Symantec Response

 Symantec product engineers worked closely with HP's Autonomy Support to obtain and provide updates to address all issues.

Symantec Mail Security for Microsoft Exchange runs the Autonomy Keyview Filter as part of the application process. A successful exploitation attempt could potentially result in a denial of service application crash or possibly a privilege compromise in the context of the application. 

 Symantec Mail Security for Domino runs the Autonomy Keyview Filter out-of-process by default preventing attack attempts from crashing the application.  However, the process runs in the context of the application which could potentially allow a possible privileged application compromise from a successful exploit attempt.  

Customers running Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino should update to the non-vulnerable versions identified above or disable content filtering by following the mitigation workarounds described below until updates can be obtained and deployed.

In the Symantec Messaging Gateway and Symantec Data Loss Prevention products, the Autonomy Keyview content filtering process has been separated from the Symantec applications (out-of-process) and runs with least privilege. This out-of-process method specifically addresses these types of security concerns.

Any attempt to exploit these issues results in process termination of the offending thread and an error message generated to and handled by the specific application(s). However, non-vulnerable versions of the Verity Filter have been updated and made available to customers. Customers may still disable content filtering through the temporary mitigation workarounds described below until updates can be obtained and deployed.

Symantec knows of no exploitation of or adverse customer impact from these issues.

 

Update Information

Updates will be available through customers' normal support/download locations.


SMS for Domino and Microsoft Exchange updates will be available through the Platinum Support Web Sitefor Platinum customers or through the FileConnect -Electronic Software Distribution web site.

Symantec DLP updates will be available for download through secure file exchange.

 

Workaround/Mitigations

Temporary Workaround to disable content filtering in Symantec Mail Security for Microsoft Exchange 
Installations of SMS for Microsoft Exchange that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may fully disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

  • To disable the content filtering rules for SMS for Microsoft Exchange:
  • Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules
  • Ensure that all rules using attachment content are "disabled"

Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:

  • Go to the Verity bin folder of the product installation, e.g. SMSMSE -> Verity -> bin
  • Locate the affected binary, e.g. vsd.dll
  • Rename the binary, e.g. vsd_disabled.dll.
  • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

 

Temporary Workaround to disable content filtering in Symantec Mail Security for Domino

Installations of SMS for Domino that do not utilize the Content Filtering capabilities of the product are notsusceptible to this issue. SMS for Domino would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until an updated release is installed.

To disable content filtering rules for Symantec Mail Security for Domino.

  • • Select the "Content Filtering" tab to display the list of current enabled rules
  • • Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red "X" disabling the rule

Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:

  • Go to the Verity  bin folder of the product installation, e.g. SMSDOM -> Server -> Verity -> bin
  • Locate the affected binary, e.g. vsd.dll
  • Rename the binary, e.g. vsd_disabled.dll.
  • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

 

Temporary Workaround to disable content filtering in Symantec Messaging Gateway 
Risk from these issues are limited on installations of Symantec Messaging Gateway in which the attachment content scanning option is enabled.  However, installations that do not utilize the Content Filtering capabilities of the product are not impacted by these issues.

As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for  Symantec Messaging Gateway:

  • Log into the management console and navigate to the SMTP Scanning Settings screen
  • Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving
  • Disable any Compliance policies with a condition:
  1. "If any part of the message matches" (or "does not match") a regular expression, pattern or Record Resource.
  2. "If text in Attachment content part of the message . . . "

 

Best Practices

As part of normal best practices, Symantec strongly recommends:

  • Restrict access to administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Run under the principle of least privilege where possible to limit the impact of exploit by threats.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

ACKNOWLEDGEMENTS

 

Will Dormann with CERT/CC for identifying and reporting these issues in HP's Autonomy Keyview content filter. 

REVISION

 

11/21/2012 Clarified SMSMSE and SMSDOM affected products