Stay Abreast

Thank you Sandeep for the sharing the information.

Ajit

You can refer to the document below for the best practices:

Installing and configuring Symantec Endpoint Protection 11.0 for the first time

http://service1.symantec.com/support/ent-security....

http://eval.symantec.com/flashdemos/products/endpo...

Isn't there also another SAV/SCS vulnerability that has yet to be [fully] disclosed?  I remember reading about it somewhere on these forums.  I will try to find more info.

Thanks for calling attention to this Sandeep.  More incentive for me to get our people off of 10.0. 

This is the alert we use at the State of Iowa (Symantec has been very upfront and forthcoming with this) ->

Overview:

Multiple vulnerabilities have been identified within various Symantec security products which could allow a remote attacker to take complete control of an affected system without any user interaction. Symantec's suite of security products includes network devices and consumer software that are used by both enterprise and home level users.

It should be noted that exploit code is not publicly available for any of these vulnerabilities.

Affected Software:

• Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier
• Symantec AntiVirus Corporate Edition 10.0
• Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier
• Symantec AntiVirus Corporate Edition 10.2 MR1 and earlier
• Symantec Client Security 2.0 MR6 and earlier
• Symantec Client Security 3.0
• Symantec Client Security 3.1 MR7 and earlier
• Symantec Endpoint Protection 11.0 MR2 and earlier
• Norton 360 1.0
• Norton Internet Security 2005 through 2008
• Symantec Antivirus 10.1 MR7 and earlier

Description:

Four of the five vulnerabilities discovered in various Symantec security products could allow for remote code execution.

Four of these vulnerabilities affect Symantec Alert Management System 2 (AMS2). AMS2 is an optional component for a number of Symantec security products. This component listens for specific security related events on a computer network and sends notifications as specified by the administrator.

• The Intel LANDesk Common Base Agent (CBA) component of AMS2 is prone to a vulnerability that attackers can leverage to execute arbitrary commands. This issue occurs because the software fails to sufficiently sanitize user-supplied data submitted as a TCP packet on port 12174 before passing it as a parameter to a 'CreateProcessA()' function call.

• The Intel File Transfer service (XFR.EXE) component of the AMS2 Console is prone to a vulnerability that attackers can leverage to execute arbitrary code. An attacker able to establish a TCP connection to the affected process can exploit this issue to execute arbitrary code hosted on remote fileshares or WebDav (Web-based Distributed Authoring and Versioning) servers.

• The Intel Alert Originator Service component of AMS2 is prone to a stack-based buffer-overflow vulnerability. This issue affects the 'IAO.exe' process and is triggered when processing a malformed packet. By default, the vulnerable service listens on TCP port 38292.

• The Intel Alert Originator Service component of AMS2 is prone to multiple stack-based buffer-overflow vulnerabilities. Specifically, these issues occur because the 'IAO.exe' process fails to sufficiently validate data received from the 'MsgSys.exe' process. By default, the affected service listens on TCP port 38292.

Successfully exploiting any of these vulnerabilities in AMS2 may allow an attacker to gain SYSTEM privileges, which could allow the attacker to gain complete control over the affected system without any user interaction.

An additional vulnerability affects Symantec's Log Viewer application ('ccLgView.exe') which is prone to two parsing issues that attackers can trigger by sending a specially crafted email containing HTML and script code. These scripts could be executed via the 'View Logs - Email Filtering' option. An attacker could exploit the Symantec Log Viewer vulnerability by supplying HTML code that could run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.

Solution/Recommendations:

We recommend the following actions be taken:

• Apply appropriate patches provided by Symantec to vulnerable systems immediately after appropriate testing.
• Do not open email from unknown or un-trusted sources.
• Block un-trusted incoming traffic from the Internet at your network perimeter.

References:

Symantec:
• http://www.symantec.com/business/security_response...
• http://www.symantec.com/business/security_response...

Security Focus:
• http://www.securityfocus.com/bid/34669
• http://www.securityfocus.com/bid/34671
• http://www.securityfocus.com/bid/35672
• http://www.securityfocus.com/bid/34674
• http://www.securityfocus.com/bid/34675

CVE:
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...

Related to my previous post, here are two other vulnerabilities (info from Secunia) for older SAV/SCS products:

Symantec Log Viewer Script Insertion Vulnerabilities - SA34936
Symantec Products Reporting Server URL Handling Weakness - SA34935

ShadowsPapa already mentioned the Log Viewer one.

The vulnerability part is fine. That's understood. What I don't understand is that in what way did version MR2 and earlier use AMS?

Does anyone has a clue?

Hi Team,

For SAV10.X users, please also upgrade to at least SAV 10.1 MR6 build 6000 (10.1.6.6000) or later so that  files created by the Reporting Server may not be accessible to an unauthorized user. Kindly check the link below.

http://www.symantec.com/avcenter/security/Content/2007.06.05a.html

Thanks,

Nel Ramos
IT-OCC

>>What I don't understand is that in what way did version MR2 and earlier use AMS?<<

It didn't - I suspect it's the cclgview.exe that's involved in the case of SEP. 

..............Unless some there was piece that handled the logs from legacy machines since you could forward SAV logs to SEM.
I don't think anyone said SEP/SEM used AMS2...............  I believe the vulnerability is listed for SEP in relationship to cclgview, the log viewer.

Okay. Now I get it

This is what the article says

Mitigation

Reporting has replaced AMS2 as the recommended method of alerting. Symantec Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer include AMS2. Symantec recommends that customers who are still using AMS2 switch to Reporting to manage alerts in their environments. If the customer is unable to switch to Reporting immediately then Symantec recommends that the customer either disables AMS2 as a temporary mitigation or completely uninstall AMS2.

So I guess it's not SEPM MR2 and earlier but the SEP Central Quarantine Server in question.

Sounds about right.
I just wish I could get our quarantine server to submit samples.
I was never able to get it to work at PFG either, and it won't work here as well. Same errors, same issues.
I've never had a quarantine server setup that actually worked................

sound logical!!! I will try it in our system!