Support Content Notification - Support Portal

Symantec AntiVirus Decomposition Buffer Overflow

Product/Component

Notification Id

1083

Last Updated

06 March 2020

Initial Publication Date

21 December 2005

Status

CLOSED

Severity

HIGH

CVSS Base Score

7.5

WorkAround

Affected CVE

SUMMARY

Symantec is aware of a buffer overflow in its AntiVirus component used to decompose RAR (Roshal Archive). A specially crafted RAR file could potentially cause this buffer overflow to occur and possibly execute hostile content from the RAR file on the targeted system.

Risk Impact
High

Remote Access	Yes
Local Access	No
Authentication Required	No
Exploit publicly available	No

AFFECTED PRODUCTS

Vulnerable Products

As Symantec continues to investigate this issue, the list of affected products may be updated.
Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.
Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.
Some product updates are available via Symantec LiveUpdate. Users will need to perform a manual LiveUpdate to receive and install these product updates.

To perform a manual update using Symantec LiveUpdate, users should:
- Open any installed Symantec product
- Click on LiveUpdate in the toolbar
- Run LiveUpdate until all available Symantec product updates are downloaded and installed
Product updates will initially be available for the English language versions. Localized versions of the update will be available as soon as fully tested. Please check for localized updates at your normal product support location.

To date, Symantec has not had any reports of attempts to exploit or customers impacted by this vulnerability.

Affected Enterprise Products

Products	Versions	Builds	Update To
Norton AntiVirus for Microsoft Exchange	2.18 and earlier	All	SMSMSE 4.6.4.110
Symantec AntiVirus/Filtering for Microsoft Exchange	4.0.10.465 and earlier	All	SMSMSE 4.6.4.110
Symantec Mail Security	8200	All	4.1.2-17
Symantec Mail Security for Microsoft Exchange	4.5.4 and earlier	All	4.6.4.110
	4.6.3 and earlier	All	4.6.4.110
	5.0.0.204	All	5.0.1.208
Symantec Mail Security for Domino NT	4.0.3 and earlier	All	4.1.5.30
	4.1.4 and earlier	All	4.1.5.30
	5.0.0.47	All	5.0.1.49
Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris)	3.0.11 and earlier	All	3.0.12.25
Symantec Scan Engine	5.0.1 and earlier	All	5.0.2.32
Symantec AntiVirus Scan Engine	4.1.8 and earlier	All	4.1.9.30
Symantec AntiVirus Scan Engine	4.3.12 and earlier	All	4.3.13.36
Symantec AntiVirus Scan Engine for MS ISA	4.3.12 and earlier	All	4.3.13.36
Symantec AntiVirus Scan Engine for MS Sharepoint	4.3.12 and earlier	All	4.3.13.36
Symantec AntiVirus Scan Engine for Messaging	4.3.12 and earlier	All	4.3.13.36
Symantec AntiVirus for Network Attached Storage	4.3.12 and earlier	All	4.3.13.36
Symantec AntiVirus Scan Engine for Clearswift	4.3.12 and earlier	All	4.3.13.36
Symantec AntiVirus Scan Engine for Caching	4.3.12 and earlier	All	4.3.13.36
Symantec AntiVirus for SMTP	3.1.7 and earlier	All	SMSSMTP 4.1.11.41
Symantec Mail Security for SMTP	4.1.9 and earlier	All	4.1.11.41
Symantec Client Security	3.X	All	3.0.2.2001 (MR2 PP1) 3.0.2 MP1
Symantec Web Security	3.0.1 and earlier	All	3.0.1.76
Symantec Gateway Security 5000 Series	3.0	All	SGS3.0-20051222-00
Symantec Gateway Security 5400 Series	2.0	All	SGS2.0.1-20051222-00
Symantec Gateway Security	1.0	All	SG7004-20051222-00
Symantec Brightmail AntiSpam	6.0	All	6.0.3 (patch 164)
	5.5	All	Upgrade to 6.0.3 (patch 164)
	4.0	All	4.0.9
Symantec AntiVirus Corporate Edition	10.X	All	10.0.2.2001 (MR2 PP1) 10.0.2 MP1
Symantec AntiVirus for Macintosh	10.X	All	Macintosh virus definitions dated January 4, 2006 or later

Affected Consumer Products

Products	Versions	Builds	Update to
Norton AntiVirus	2006	All	Common Client 2005-1.0.4 (via Live Update)
	2005	All	Common Client 3.0.6 (via Live Update)
	2004	All	Common Client 2.1.9 (via Live Update)
Norton Internet Security Professional	2006	All	Common Client 2005-1.0.4 (via Live Update)
	2005 AntiSpyware Edition	All	Common Client 3.5.7 (via Live Update)
	2005	All	Common Client 3.0.6 (via Live Update)
	2004	All	Common Client 2.1.9 (via LiveUpdate)
Norton SystemWorks	2006	All	Common Client 2005-1.0.4 (via LiveUpdate)
	2005	All	Common Client 3.0.6 (via LiveUpdate)
	2004	All	Common Client 2.1.9 (via LiveUpdate)
Norton Personal Firewall	2006	All	Common Client 2005-1.0.4 (via LiveUpdate)
	2005	All	Common Client 3.0.6 (via LiveUpdate)
	2004	All	Common Client 2.1.9 (via LiveUpdate)
Norton AntiVirus for Macintosh	10.X	All	Macintosh virus definitions dated January 4, 2006 or later
Norton AntiVirus for Macintosh	9.X	All	Macintosh virus definitions dated January 4, 2006 or later
Norton Internet Security for Macintosh	3.X	All	Macintosh virus definitions dated January 4, 2006 or later
Norton SystemWorks for Macintosh	3.X	All	Macintosh virus definitions dated January 4, 2006 or later

ADDITIONAL PRODUCT INFORMATION

Products Not Affected

Products	Versions	Builds
Symantec Antivirus Corporate Edition	9.X - all versions	All
Symantec Antivirus Corporate Edition	8.X - all versions	All
Symantec Client Security	2.X	All
Symantec Client Security	1.X	All
Symantec Enterprise Firewall	8.0	All
Symantec Clientless VPN Gateway 4400 Series	5.0	All
Symantec Firewall / VPN Appliance	100/200	All
Symantec Gateway Security 300/400 Series	2.0	All
Norton AntiVirus for Macintosh	7.X	All
Norton AntiVirus for Macintosh	8.X	All
Norton Internet Security for Macintosh	2.X	All
Symantec AntiVirus for HandHelds - Corporate Edition	All	All
Symantec AntiVirus for Handhelds	All	All
Symantec Client Security for Nokia		All

ISSUES

A specially crafted RAR file could potentially cause this buffer overflow to occur and possibly execute hostile content from the RAR file on the targeted system.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE-2005-4438 to this issue.

MITIGATION

Symantec Response
Symantec is currently building, testing and distributing product updates for all supported affected products.

Mitigations
Symantec Security Response posted an antivirus based protection signature to LiveUpdate on December 20, 2005, providing a heuristic detection for potential exploits of the Symantec decomposer RAR archive vulnerability. This signature is available though LiveUpdate, to all desktop, server and gateway product versions of Symantec's Security products and appliance solutions that contain the decomposer RAR archive. Symantec strongly recommends that customers immediately ensure their products are up-to-date to protect against possible threats.

Customers may also mitigate the risk to the antivirus component by disabling scanning of RAR compressed files until the vulnerable code is fixed. However, it is important to note that disabling RAR scanning may allow RAR files containing viruses through the security gateway.

Instructions to disable scanning of RAR compressed files for Symantec gateway products can be found at: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005122213230354

To Disable scanning of RAR files in Auto-Protect for Norton AntiVirus 9 and Norton AntiVirus 10:

Open the System Preferences
Select the Norton Auto-Protect preference pane
Set 'Scan Compressed Files' to 'Off'
Close the System Preferences

This will disable the use of the Decomposer Engine when Auto-Protect is scanning files.

ACKNOWLEDGEMENTS

Symantec thanks Alex Wheeler for providing coordination and working with Symantec to resolve this issue

REVISION

Revision History
12/22/05 - Updated product matrix, Additional mitigations
12/28/05 - Additional product updates, Refined mitigation
12/30/05 - Additional product updates
01/03/06 - Additional product updates
01/05/06 - Additional product updates
01/12/06 - Additional product updates
01/18/06 - Additional product updates
01/24/06 - Additional product updates
01/27/06 - Additional product updates