WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
SYM07-019
July 11, 2007
Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass

Revision History
Removed invalid CVE information
Added missing product information
Updated Symantec AntiVirus Corporate addition version information
Added information and link to new update tool for Symantec AntiVirus and Symantec Client Security
Updated Symantec Gateway Security version and update information

Risk Impact
High

Remote AccessYes
Local AccessNo
Authentication RequiredNo
Exploit publicly availableNo

Overview
Two vulnerabilities have been identified in the Symantec Decomposer component used to decompose some types of archive content while scanning for malicious content.

Affected Enterprise Products
ProductVersionBuildsUpdate To
Symantec Mail Security 8200 All 5.0.0.24
Symantec Mail Security for Microsoft Exchange 4.6.7 and earlier All 4.6.8.120
5.0.4.and earlier All 5.0.5 and higher
6.0.0 All 6.0.1 or later
Symantec Mail Security for Domino NT 4.1.5 and earlier All 4.1.9.37
5.1.2.28 and earlier All 5.1.4.32
Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) 3.0.12 and earlier All 3.2.2.27 †
Symantec Scan Engine 5.0.1 and earlier All 5.1.4.24
Symantec AntiVirus Scan Engine 4.1.8 and earlier All 4.3.18.43
4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for MS ISA 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for MS Sharepoint 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for Messaging 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus for Network Attached Storage 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for Clearswift 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for Caching 4.3.12 and earlier All 4.3.17 or later
Symantec Client Security ††† 3.X All SCS 3.1 MR5 MP1 (build 3.1.5.5010)††
2.X All SCS 2.0 MR6-MP1 (build 2.0.6.1100)††
1.X All
Symantec Web Security 3.0.1.76 and earlier All 3.0.1.85
Symantec Gateway Security 1600 Series 3.0.1 All Update F Apply Hotfix SGS1600-3.0.1-enga2007080100
Symantec Gateway Security 5000 Series 3.0.1 All Update F Apply Hotfix SGS5000-3.0.1-enga2007080100
Symantec Gateway Security 5400 Series 2.0.1 All Upgrade to 3.0.1 F Apply SGS5000-3.0.1-enga2007080100
Symantec Brightmail AntiSpam 6.0.x All 6.05
5.5 All
4.x All
Symantec AntiVirus Corporate Edition ††† 10.X All SAV 10.1 MR5 MP1 (build 10.1.5.5010)††
9.X All SAV 9.0 MR6-MP1 (build 9.0.6.1100) ††
8.X All
Symantec AntiVirus for Macintosh 10.X All Update to any definition after 10/1/2006
Symantec Web Security for Microsoft ISA 2004 5.0 All 5.0.3
Symantec Mail Security for SMTP 5.0.0 Solaris All Patch 175
5.0.0 Linux All Patch 175
5.0.0 Windows All Patch 176
5.0.1 All Patch 181
4.1.15 and earlier All 4.1.16

† Symantec AntiVirus/Filtering for Domino MPE is no longer supported. Customers are encouraged to upgrade to Symantec Mail Security for Domino MPE

†† Customers using the SAV CE Linux client should upgrade to version 1.0.2-75. This build is available by downloading the latest SAV CE 10.X or SCS 3.X build from FileConnect.

†††Symantec has released a tool that will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security

For more information and to download the tool, please read the following document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071111591448

Affected Consumer Products
ProductVersionBuildsUpdate To
Norton AntiVirus 2006 All Run LiveUpdate in Interactive Mode
2005 All Run LiveUpdate in Interactive Mode
2004 All Run LiveUpdate in Interactive Mode
Norton Internet Security 2006 All Run LiveUpdate in Interactive Mode
2005.5 AntiSpyware Edition All Run LiveUpdate in Interactive Mode
2005 All Run LiveUpdate in Interactive Mode
2004 All Run LiveUpdate in Interactive Mode
Norton SystemWorks 2006 All Run LiveUpdate in Interactive Mode
2005 All Run LiveUpdate in Interactive Mode
2004 All Run LiveUpdate in Interactive Mode
Norton Personal Firewall 2006 All Run LiveUpdate in Interactive Mode
Norton AntiVirus for Macintosh 10.X All Update to any definition after 10/1/2006
9.X All
Norton Internet Security for Macintosh 3.X All Update to any definition after 10/1/2006
Norton SystemWorks for Macintosh 3.X All Update to any definition after 10/1/2006

Products Not Affected:
ProductVersionBuilds
Symantec AntiVirus for HandHelds - Corporate Edition All All
Symantec AntiVirus for Handhelds All All
Symantec Client Security for Nokia All All
Symantec Enterprise Firewall 8.0 All
Symantec Clientless VPN Gateway 4400 Series 5.0 All
Symantec Firewall / VPN Appliance 100/200 All
Symantec Gateway Security 300/400 Series 2.0 All
Norton AntiVirus for Macintosh 7.X All
Norton AntiVirus for Macintosh 8.X All
Norton Internet Security for Macintosh 2.X All
Norton SystemWorks for Macintosh 2.X All
Norton360 All All
Symantec AntiVirus Corporate Edition 10.2 All
Norton AntiVirus 2007 All
Norton Internet Security 2007 All
Norton System works 2007 All

Details
The first vulnerability is related to the decomposition of RAR files. Modifying the RAR file header in a specific way, causes the decomposer to enter an infinite loop causing a Denial of Service.

The second vulnerability is related to the decomposition of CAB files. The Symantec Decomposer fails to perform proper bounds checks when copying from the CAB archive. This may result in the possibility of arbitary code execution on the vulnerable system.

NOTE:

  1. Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.

Symantec response
Symantec engineers have verified and corrected these issues in all currently supported products. Updates are available for supported products. Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.

Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.

Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of (product/component). However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:

  • Open any installed Norton product
  • Click on LiveUpdate in the GUI

To perform a manual update using Symantec LiveUpdate, users should:

  • Open any installed Symantec product
  • Click on LiveUpdate in the toolbar
  • Run LiveUpdate until all available Symantec product updates are downloaded and installed
To date, Symantec is not aware of any exploits for these issues.

Best Practices
As part of normal best practices, Symantec strongly recommends:

  • Restrict access to administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Run under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-3699 for the RAR issue and CVE-2007-0447 for the CAB file issue.

Credit
Symantec would like to thank 3COM, and the Zero Day Initiative for reporting these issues and providing full coordination while Symantec resolved them.


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key


Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Initial Post on: Wednesday, 11-Jul-07 7:00:00
Last modified on: Thursday, 23-Aug-07 23:13:09