Security Vulnerability in Symantec Drive Encryption (PGP Whole Disk Encryption)

Article:TECH201455  |  Created: 2013-01-08  |  Updated: 2013-02-11  |  Article URL http://www.symantec.com/docs/TECH201455
Article Type
Technical Solution


Issue



There are two security vulnerabilities related to potential buffer overflows recently identified and fixed in Symantec Drive Encryption.


Error



1. Zero-Buffer Vulnerability


This security vulnerability is related to a buffer overflow in Symantec Drive Encryption (previously known as PGP Whole Disk Encryption). This vulnerability is considered low severity as the exploit for this vulnerability requires authenticated local access to the system. In addition, this issue exists only in Microsoft Windows XP and Microsoft Windows Server 2003 due to the behavior of the Windows IO Manager allocating the Zero-Buffer Size memory. Users running later versions of Windows (Windows Vista, Windows 7, or Windows 2008) are not impacted.

Product versions affected

  • Symantec Drive Encryption: 10.3.0
  • PGP Whole Disk Encryption: 10.2.x, 10.1.x, 10.0.x

Reference

http://pastebin.com/pEBSjsmC

Risk to customers

This vulnerability might allow a hacker to run code with higher privilege. However to exploit this, the hacker must be logged in to Windows. This vulnerability is present in the Symantec Drive Encryption kernel driver (PGPwded.sys).

Essentially, this vulnerability is limited to systems running Microsoft Windows XP and Microsoft Windows Server 2003 only. However, the exploit would be very difficult to trigger as it relies on the system entering an error condition first. Once in this error condition, the exploit could allow a user with lower privileges to run some arbitrary code with higher privileges.

If you are using Microsoft Windows Vista or higher, this issue is less likely to be exploited as:

If the malware is a driver, it would require a valid digital signature to run in the secured environment to update the system buffer and, Windows IO Manager code does not copy any data to the user memory if the output buffer provided during the DeviceIOControl() function call was NULL and zero sized. 

 

2. Integer Buffer Overflow Vulnerability


This security vulnerability is related to a buffer overflow in Symantec Drive Encryption (previously known as PGP Whole Disk Encryption). This vulnerability is also considered low severity as the exploit for this vulnerability requires authenticated local access to the system. While this issue exists in all versions of Microsoft Windows software, an attacker would also need to gain local access to a vulnerable computer in order to exploit this vulnerability.

Product versions affected 

  • Symantec Drive Encryption: 10.3.0
  • PGP Whole Disk Encryption: 10.2.x, 10.1.x, 10.0.x

Reference

http://pastebin.com/XrwuTP9E, http://pastebin.com/W2VUMBJk

Risk to customers

This vulnerability might allow a hacker to run code with higher privilege. However to exploit this, the hacker must be logged in to Windows. This vulnerability is present in the Symantec Drive Encryption kernel driver (PGPwded.sys).

If you are using Microsoft Windows Vista or higher, this issue is less likely to be exploited as:

If the malware is a driver, it would require a valid digital signature to run in the secured environment to update the system buffer.

 


Solution



The resolution for these issues are included in the maintenance pack for Symantec Drive Encryption version (10.3.0 MP1).

Again, both of these vulnerabilities are considered low risk. However product quality and responsiveness to customers are consistent Symantec Corporation hallmarks. Any issue that could potentially affect the integrity of data in your environment, no matter how rare, is viewed as extremely serious.

 




Article URL http://www.symantec.com/docs/TECH201455


Terms of use for this information are found in Legal Notices