WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
22 January, 2002
Firewall log file permissions and file sharing parameters allow unauthorized log file access and modification

Nomad Mobile Research Centre (NMRC) Advisory, Subj: OpenFile Win32 API Log Overwriting/Rewriting

Risk Impact:
The exposure of the log files to potential modification does not in anyway affect the security of the product. File modification merely provides a potential way for an intruder to attempt to disguise their illegal activities.

Symantec Norton Internet Security 200x
Symantec Norton Internet Security 200x Family Edition
Symantec Norton Internet Security Professional 2002
Symantec Norton Personal Firewall 200x
Symantec Desktop Firewall 2.0x

Symantec Corporation has been made aware of and is preparing an update to current Norton Internet Security, Norton Personal Firewall and Symantec Desktop Firewall products that corrects a potential exposure of the firewall logs to unauthorized modification. There is a potential issue with the file sharing parameters and default installation that could result in these logs file being modified or altered in a way that could affect the integrity of the logs and potentially be used in an attempt to hide unauthorized activity on the system.

Symantec was notified by the NMRC of file sharing parameters issues in the way our desktop firewall applications open log files. This could possibly permit an unauthorized user on the system to potentially modify or delete the firewall logs in certain Symantec personal and Internet Security firewall products. The firewall log files are opened with FILE_SHARE_READ and FILE_SHARE_WRITE share access parameters. The issue here is that another application using the appropriate Win32 API call could potentially be used to re-open the firewall log files and overwrite the firewall log entries, even though the firewall application is running. Although the application's dialog tabs will still show the proper alert entries while the application is running, once the firewall service is stopped and restarted, the log entries reflect what was overwritten.
Additionally, the default install permissions allow everyone full control. This default permission could potentially allow a non-privileged user who, while not having permission on the Service Control Manager database to stop services, could still potentially open the log files, using calls to the file sharing parameters, and make appropriate modifications to the log files to remove alerts or any indications of attempted attacks against the targeted system. Once the firewall service is stopped and restarted, the log files would reflect the modified entries.

Symantec Response:
Symantec's Desktop Firewall, Norton Internet Security System and Norton Personal Firewall provide intrusion protection, firewall rules, and application control to protect individual PCs and small-networked systems from online threats. The sensitive information logged to the firewall log files is an important part of properly maintaining the security of the system and providing information on inbound and outbound system activity. Symantec is constantly working to upgrade the security of our products and is currently testing an update to further secure the firewall logs from any unauthorized access and modifications. This security update will be available via LiveUpdate.
Securing a user's computer from real and potential attacks by Internet threats takes a multi-tiered approach. Symantec's firewall solutions together with a leading antivirus solution such as Norton AntiVirus are complementary products and together form a comprehensive solution to online threats such as viruses and hackers. Additionally, Symantec recommends the following Best Practices to enhance protection of your systems to unauthorized access.

  1. Ensure there are strong, unique passwords established for each account on the system.
  2. If the system's firmware allows the setting of a password when the system is turned on, known as a BIOS or EEPROM password, enable and set the BIOS password (ensure it is unique from the account password).
  3. Control physical access to the system to prevent unauthorized individuals from gaining easy access to the system.
  4. Users should always practice safe computing to minimize their exposure to security risks.
  5. Users should keep their patch levels for all software up-to-date and be leery of mysterious attachments/executables coming from email, user groups, etc. Users should err on the side of caution by denying access to unexpected communication attempts, not opening attachments or executables from sources they don't know, and scan all attachments with an up-to-date anti-virus product before opening, even if the sender is known.

Symantec takes the security of their products very seriously and appreciates the coordination of NMRC in identifying and providing technical details of potential areas of concern so we can quickly address the issue.

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

PDF Symantec Vulnerability Response Policy PGP Symantec Product Vulnerability Management PGP Key

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Last modified on: Monday, 25-Oct-04 14:43:58