1. /
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Alert Management System 2 multiple vulnerabilities

SYM09-007

April 28, 2009

Revision History

None

Risk Impact

High
Remote AccessYes
Local AccessYes
Authentication RequiredNo
Exploit availableNo

Overview

The version of Alert Management System 2 (AMS2) used by some versions of Symantec System Center, Symantec Antivirus Server, and Symantec AntiVirus Central Quarantine Server contains four vulnerabilities.

Affected Products

Product Version Solution
Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier Update to SAV 9.0 MR7
10.0 all versions Update to SAV 10.1 MR8
10.1 MR7 and earlier Update to SAV 10.1 MR8
  10.2 MR1 and earlier Update to SAV 10.2 MR2
Symantec Client Security 2.0 MR6 and earlier Update to SCS 2.0 MR7
3.0 all versions Update to SCS 3.1 MR8
3.1 MR7 and earlier Update to SCS 3.1 MR8
Symantec Endpoint Protection 11.0 MR2 and earlier Update to SEP 11.0 MR3

Note: These vulnerabilities only impact the products indicated if the AMS2 component is installed. See the Symantec Response section for additional information.

Unaffected Products

Product Version
Norton product lines All
Altiris Management Service All

Details

Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server.
AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator.

Four vulnerabilities in AMS2 components have been reported to Symantec.

1) Intel Common Base Agent Remote Command Execution Vulnerability

The Intel LANDesk Common Base Agent (CBA) could allow a specially crafted packet sent to TCP Port 12174 to pass the packet contents as an argument to CreateProcessA(). The resulting command will be executed with SYSTEM privileges.

This vulnerability was discovered by Tenable Network Security, working through the Zero Day Initiative (ZDI).

2) Intel Alert Originator Service Stack Overflow Vulnerability

The Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to a stack buffer through a call to memcpy(). An attacker could use a specially crafted packet to overflow the stack, and execute code of their choice with SYSTEM rights.

This vulnerability was discovered by: Sebastian Apelt, working through the Zero Day Initiative (ZDI).

3) Intel Alert Originator Service Buffer Overflow Vulnerabilities

Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to it by the MsgSys.exe process. This could potentially lead to stack based buffer overflows during calls to strcpy() and memcpy(). An attacker could potentially leverage this to execute code of their choice with SYSTEM rights.

This vulnerability was discovered by Sebastian Apelt , working through the Zero Day Initiative (ZDI).

4) Alert Management System Console Arbitrary Program Execution Design Error Vulnerability

The Intel File Transfer service (XFR.EXE) provides file transfer capabilities to AMS2. A design error in XFR.EXE could allow an attacker to execute code of their choice with SYSTEM privileges on a vulnerable system. If an attacker is able to establish a TCP session with a vulnerable host, the issue could be exploited by placing arbitrary code on a fileshare or WebDav server, and then sending the UNC path to XFR.EXE. The code would then be executed on the vulnerable system.

This issue was reported by an anonymous finder, working through IDefense

Symantec Response

Symantec engineers verified that these vulnerabilities affect the products listed in the Affected Products table, above. Updates have been released to address these issues.

Symantec System Center Impact

Symantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in which allows an administrator to manage all Symantec AntiVirus platforms from a single, centralized location. Alert Management System 2 (AMS2) is an alerting feature of System Center that listens for specific events and sends notifications as specified by the administrator.

AMS2 is installed by default with Symantec System Center 9.0. AMS2 is an optional component in Symantec System Center 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.

Symantec AntiVirus Server Impact

AMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an optional component in Symantec AntiVirus Server 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.

Symantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server Impact

AMS2 is installed by default by Central Quarantine Server. These vulnerabilities will only impact systems if Quarantine Server has been installed.

Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. However, we recommend that any affected customers update their product immediately to protect against potential attempts to exploit these issues.

Certain localized language versions of SCS 2.0/SAV 9.x were not patched due to compatibility issues on the localized platforms. As a result, customers who are running the following versions are strongly recommended to update to a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a non-vulnerable version of SEP 11.x:

Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese licensed)

Mitigation

Reporting has replaced AMS2 as the recommended method of alerting. Symantec Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer include AMS2. Symantec recommends that customers who are still using AMS2 switch to Reporting to manage alerts in their environments. If the customer is unable to switch to Reporting immediately then Symantec recommends that the customer either disables AMS2 as a temporary mitigation or completely uninstall AMS2.

Best Practices

As a part of normal best practices, users should:
  • Restrict access to computer systems to trusted users only.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of protection from inbound and outbound threats.
  • Run under the principle of least privilege.

Credit

Symantec thanks the following people and organizations for reporting these issues, and coordinating with us on the resolution:

Zero Day Initiative (www.zerodayinitiative.com); Tenable Network Security (www.tenablesecurity.com/); Sebastian Apelt (webmaster@buzzworld.org); iDefense (http://labs.idefense.com/), and an anonymous finder.

References

These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. CVE has assigned CVE identifiers to these issues. These issues are also included in the SecurityFocus (http://www.securityfocus.com) BID database.

The following CVE and BID identifiers have been assigned to these issues:

Intel Common Base Agent Remote Command Execution Vulnerability
CVE CVE-2009-1429
BID 34671


Intel Alert Originator Service Stack Overflow Vulnerability
CVE CVE-2009-1430
BID 34672


Intel Alert Originator Service Buffer Overflow Vulnerabilities
CVE CVE-2009-1430
BID 34674


Alert Management System Console Arbitrary Program Execution Design Error Vulnerability
CVE CVE-2009-1431
BID 34675
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information.
Last modified on: April 28, 2009
Security Response Blog
The State of Spam