1. /
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Updates HP Autonomy Keyview Filter Issues Affecting Multiple Vendors

SYM12-018

November 20, 2012



Revisions

 

11/21/2012 Clarified SMSMSE and SMSDOM affected products

Severity

Medium to High (based on the CVSS2 scoring below)

High
CVSS V2 9.33 (for SMSMSE and SMSDOM, running the Autonomy Verity Keyview Filter in-process or out-of-process with application-level privileges.)

Impact: 10 Exploitability 8.588

CVSS V2 Vector AV: N/AC: M/Au: N/C:C/I:C/A:C

Medium

CVSS  V2  4.3 (for SBG/SMG and DLP,  running the Autonomy Verity Keyview Filter out-of-process with least privileges.)

Impact: 2.862 Exploitability: 8.588

CVSS V2 Vector AV:N/AC:M/Au:N/C:N/I:N/A:P

Overview
Multiple security issues have been identified in HP Autonomy's Keyview Content Filter libraries.  Symantec has updated the Keyview modules being shipped with Symantec products in response to these issues.

Affected Products

Product

Version

Build

Solution(s)

Symantec Mail Security for Microsoft Exchange (SMSMSE)

6.5.7 and earlier

All

 SMSMSE 6.5.8 (see mitigation workarounds below to disable content filtering as an interim) 

Upgrade to SMSMSE 7.0 (When Available)

Symantec Mail Security for Domino (SMSDOM)

8.1.0 and earlier

All

SMSDOM 8.1.1  (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Messaging Gateway (SMG)

9.5.x

All

 

Symantec Messaging Gateway 10.0.1

Symantec Data Loss Prevention(DLP) Enforce/Detection Servers for Windows

11.x

All

Symantec DLP 11.6.1 for Windows

Symantec Data Loss Prevention Enforce/Detection Servers for Linux

11,x

All

Symantec DLP 11.6.1 for Linux

Symantec Data Loss Prevention Endpoint Agents

11.x

All

Symantec DLP 11.6.1 Agent

 

NOTE:  Disabling content filtering as described in the mitigation section below does NOT interfere with the primary functionality of Symantec's products, e.g., anti-virus or anti-spam.

Details

Symantec was notified of multiple security issues to include possible denial of service process crash and potential code execution vulnerabilities identified in several of the file parsing libraries in HP's Autonomy Verity Keyview Filter shipped with the Symantec products identified above. These vulnerabilities can potentially be targeted during the content filtering process run against maliciously formatted incoming files.

 Attempted exploitation results, depending on the product involved in the processing, range from no impact to a crash of the child process with negligible impact, an application crash or, in specific instances, potential elevated privilege application compromise.

Symantec Response

 Symantec product engineers worked closely with HP's Autonomy Support to obtain and provide updates to address all issues.

Symantec Mail Security for Microsoft Exchange runs the Autonomy Keyview Filter as part of the application process. A successful exploitation attempt could potentially result in a denial of service application crash or possibly a privilege compromise in the context of the application. 

 Symantec Mail Security for Domino runs the Autonomy Keyview Filter out-of-process by default preventing attack attempts from crashing the application.  However, the process runs in the context of the application which could potentially allow a possible privileged application compromise from a successful exploit attempt.  

Customers running Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino should update to the non-vulnerable versions identified above or disable content filtering by following the mitigation workarounds described below until updates can be obtained and deployed.

In the Symantec Messaging Gateway and Symantec Data Loss Prevention products, the Autonomy Keyview content filtering process has been separated from the Symantec applications (out-of-process) and runs with least privilege. This out-of-process method specifically addresses these types of security concerns.

Any attempt to exploit these issues results in process termination of the offending thread and an error message generated to and handled by the specific application(s). However, non-vulnerable versions of the Verity Filter have been updated and made available to customers. Customers may still disable content filtering through the temporary mitigation workarounds described below until updates can be obtained and deployed.

Symantec knows of no exploitation of or adverse customer impact from these issues.

Update Information

Updates will be available through customers' normal support/download locations.


SMS for Domino and Microsoft Exchange updates will be available through the Platinum Support Web Sitefor Platinum customers or through the FileConnect -Electronic Software Distribution web site.

Symantec DLP updates will be available for download through secure file exchange.

Workaround/Mitigations

Temporary Workaround to disable content filtering in Symantec Mail Security for Microsoft Exchange
Installations of SMS for Microsoft Exchange that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may fully disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

  • • To disable the content filtering rules for SMS for Microsoft Exchange:
  • • Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules
  • • Ensure that all rules using attachment content are "disabled"

Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:

  • • Go to the Verity bin folder of the product installation, e.g. SMSMSE -> Verity -> bin
  • • Locate the affected binary, e.g. vsd.dll
  • • Rename the binary, e.g. vsd_disabled.dll.
  • • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

 

Temporary Workaround to disable content filtering in Symantec Mail Security for Domino

Installations of SMS for Domino that do not utilize the Content Filtering capabilities of the product are not susceptible to this issue. SMS for Domino would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until an updated release is installed.

To disable content filtering rules for Symantec Mail Security for Domino.

  • • Select the "Content Filtering" tab to display the list of current enabled rules
  • • Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red "X" disabling the rule

Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:

  • • Go to the Verity  bin folder of the product installation, e.g. SMSDOM -> Server -> Verity -> bin
  • • Locate the affected binary, e.g. vsd.dll
  • • Rename the binary, e.g. vsd_disabled.dll.
  • • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

 

Temporary Workaround to disable content filtering in Symantec Messaging Gateway
Risk from these issues are limited on installations of Symantec Messaging Gateway in which the attachment content scanning option is enabled.  However, installations that do not utilize the Content Filtering capabilities of the product are not impacted by these issues.

As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for  Symantec Messaging Gateway:

  • • Log into the management console and navigate to the SMTP Scanning Settings screen
  • • Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving
  • • Disable any Compliance policies with a condition:
    1. "If any part of the message matches" (or "does not match") a regular expression, pattern or Record Resource.
    2. "If text in Attachment content part of the message . . . "

 

Best Practices

As part of normal best practices, Symantec strongly recommends:

  • • Restrict access to administration or management systems to privileged users.
  • • Restrict remote access, if required, to trusted/authorized systems only.
  • • Run under the principle of least privilege where possible to limit the impact of exploit by threats.
  • • Keep all operating systems and applications updated with the latest vendor patches.
  • • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Credit
Will Dormann with CERT/CC for identifying and reporting these issues in HP's Autonomy Keyview content filter. 

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information.
Last modified on: November 20, 2012
Security Response Blog
The State of Spam