Phenoelit Advisory #0815: http://www.phenoelit.de/stuff/LiveUpdate.txt
Symantec evaluates the risk impact of a potential attack of the nature described by Phenoelit to be medium to users who have not updated to LiveUpdate 1.6.
Symantec LiveUpdate 1.4 through 1.6
The LiveUpdate component is an essential piece of technology providing a method to deliver product and virus definition updates directly to the desktop, gateway or server. A group of technicians, phenoelit.de, have indicated potential problems with LiveUpdate 1.4 and to a lesser degree with LiveUpdate 1.6 that could potentially result in deployment of malware or remote penetration of systems or in a Distributed Denial of Service (DDoS) attack.
The Phenoelit group's advisory states: "When LiveUpdate 1.4 is started (either by hand or as a scheduled task), it looks for the server 'update.symantec.com'. An attacker can use one of several attacks to return false information to the querying host. An attacker can use one of several attacks to return false information to the querying host such as:
According to the Phenoelit group, when the host running LiveUpdate tries to connect to update.symantec.com via FTP, it is actually connecting to the FTP server of the attacker;s choice. LiveUpdate will then try to download the necessary file(s). This archive contains the file which holds a complete list of all Symantec product updates. After LiveUpdate has received the file, it will compare the product versions to the versions of the Symantec products installed on the host and check the appropriate sequence numbers to see if an update is required. If an update is required, LiveUpdate will receive the file specified, uncompress it and perform the actions described in the file. This includes the execution of downloaded executables.
- The attacker controls the DNS server and creates a master zone for symantec.com
- The attacker uses routing-based attacks to impersonate the DNS server
- The attacker uses DNS poisoning on the DNS server to return a false IP address
- The attacker uses layer 2 connection interception to impersonate the DNS server
- The attacker sends false DNS responses to the querying host
LiveUpdate 1.6 follows the same procedure described above with one exception. The actual downloaded update contains "cryptographic signatures" of all update files. This signature makes it virtually impossible to use LiveUpdate 1.6 as a penetration tool. However, by specifying a large file location on the Internet, a scheduled LiveUpdate session in a medium sized company will lead to network degradation and outages due to the large amount of traffic generated..."
The DNS attacks described by the Phenoelit group are not new or unique to this issue. They have been widely known to be an Internet infrastructure problem, not a Symantec product problem, for some time and have been utilized in many well-publicized DNS spoofing, redirection, cache poisoning attacks. Due in part to the identification of these attacks and the emphasis placed on their impact to the Internet Infrastructure by such as the SANS Twenty Most Critical Internet Security Vulnerabilities, security of vulnerable Internet Name Servers is now being addressed in a more timely manner.
LiveUpdate 1.4 was first released four years ago and has been superceded by LiveUpdate 1.5 and most recently, LiveUpdate 1.6 which implemented additional security features. Users of Symantec products have been able to upgrade to LiveUpdate 1.6.x, as a product update since July 2000. Users who have not yet upgraded can find the latest version of Symantec LiveUpdate freely available from Symantec's Web site. All current releases of Symantec products ship with LiveUpdate 1.6.
Phenoelit's suggestion that users still using LiveUpdate 1.4 with Norton AntiVirus products are susceptible to mis-direction attacks that could cause them to download and run malicious executable is a misunderstanding of Norton AntiVirus capabilities. While misdirection at some point in the Internet Infrastructure is possible, any attempt to download malware and run unauthorized executables would be detected by Norton AntiVirus's AutoProtect feature and blocked from executing by Symantec's Script Blocking technology. Further, Symantec Security Response's 24 hour response would be able to rapidly create and disseminate signatures to detect and stop identified malicious activity.
Symantec's LiveUpdate 1.6 could potentially be temporarily affected by the DoS scenario depicted by the Phenoelit group however, only a small percentage of a very large user base could potentially be impacted to any degree as the spoofing or redirection would, by it's very nature, be limited to a local Internet area/region.
Symantec is constantly working to improve the security of our technology and will be releasing a new version of LiveUpdate in the near future that will further ensure the integrity of the product against attempted attacks of this nature.
Symantec takes the security of their products very seriously and appreciates the support of the Phenoelit group in identifying potential areas of concern.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 25-Oct-04 14:42:40