Revision History None
Risk Impact High
Overview The version of Alert Management System 2 (AMS2) used by some versions of Symantec System Center, Symantec Antivirus Server, and Symantec AntiVirus Central Quarantine Server contains four vulnerabilities.
|Symantec AntiVirus Corporate Edition
||9.0 MR6 and earlier
||Update to SAV 9.0 MR7
|10.0 all versions
||Update to SAV 10.1 MR8
|10.1 MR7 and earlier
||Update to SAV 10.1 MR8
||10.2 MR1 and earlier
||Update to SAV 10.2 MR2
|Symantec Client Security
||2.0 MR6 and earlier
||Update to SCS 2.0 MR7
|3.0 all versions
||Update to SCS 3.1 MR8
|3.1 MR7 and earlier
||Update to SCS 3.1 MR8
|Symantec Endpoint Protection
||11.0 MR2 and earlier
||Update to SEP 11.0 MR3
: These vulnerabilities only impact the products indicated if the AMS2 component is installed. See the Symantec Response section for additional information.
|Norton product lines
|Altiris Management Service
Details Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server.
AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator.
Four vulnerabilities in AMS2 components have been reported to Symantec.
1) Intel Common Base Agent Remote Command Execution Vulnerability The Intel LANDesk Common Base Agent (CBA) could allow a specially crafted packet sent to TCP Port 12174 to pass the packet contents as an argument to CreateProcessA(). The resulting command will be executed with SYSTEM privileges.
This vulnerability was discovered by Tenable Network Security, working through the Zero Day Initiative (ZDI).
2) Intel Alert Originator Service Stack Overflow Vulnerability The Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to a stack buffer through a call to memcpy(). An attacker could use a specially crafted packet to overflow the stack, and execute code of their choice with SYSTEM rights.
This vulnerability was discovered by: Sebastian Apelt, working through the Zero Day Initiative (ZDI).
3) Intel Alert Originator Service Buffer Overflow Vulnerabilities Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to it by the MsgSys.exe process. This could potentially lead to stack based buffer overflows during calls to strcpy() and memcpy(). An attacker could potentially leverage this to execute code of their choice with SYSTEM rights.
This vulnerability was discovered by Sebastian Apelt , working through the Zero Day Initiative (ZDI).
4) Alert Management System Console Arbitrary Program Execution Design Error Vulnerability The Intel File Transfer service (XFR.EXE) provides file transfer capabilities to AMS2. A design error in XFR.EXE could allow an attacker to execute code of their choice with SYSTEM privileges on a vulnerable system. If an attacker is able to establish a TCP session with a vulnerable host, the issue could be exploited by placing arbitrary code on a fileshare or WebDav server, and then sending the UNC path to XFR.EXE. The code would then be executed on the vulnerable system.
This issue was reported by an anonymous finder, working through IDefense
Symantec Response Symantec engineers verified that these vulnerabilities affect the products listed in the Affected Products table, above. Updates have been released to address these issues.
Symantec System Center Impact
Symantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in which allows an administrator to manage all Symantec AntiVirus platforms from a single, centralized location. Alert Management System 2 (AMS2) is an alerting feature of System Center that listens for specific events and sends notifications as specified by the administrator.
AMS2 is installed by default with Symantec System Center 9.0. AMS2 is an optional component in Symantec System Center 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.
Symantec AntiVirus Server Impact
AMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an optional component in Symantec AntiVirus Server 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.
Symantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server Impact
AMS2 is installed by default by Central Quarantine Server. These vulnerabilities will only impact systems if Quarantine Server has been installed.
Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. However, we recommend that any affected customers update their product immediately to protect against potential attempts to exploit these issues.
Certain localized language versions of SCS 2.0/SAV 9.x were not patched due to compatibility issues on the localized platforms. As a result, customers who are running the following versions are strongly recommended to update to a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a non-vulnerable version of SEP 11.x:
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese licensed)
Mitigation Reporting has replaced AMS2 as the recommended method of alerting. Symantec Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer include AMS2. Symantec recommends that customers who are still using AMS2 switch to Reporting to manage alerts in their environments. If the customer is unable to switch to Reporting immediately then Symantec recommends that the customer either disables AMS2 as a temporary mitigation or completely uninstall AMS2.
As a part of normal best practices, users should:
- Restrict access to computer systems to trusted users only.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of protection from inbound and outbound threats.
- Run under the principle of least privilege.
These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org
), which standardizes names for security problems. CVE has assigned CVE identifiers to these issues. These issues are also included in the SecurityFocus (http://www.securityfocus.com
) BID database.
The following CVE and BID identifiers have been assigned to these issues:
Intel Common Base Agent Remote Command Execution Vulnerability
Intel Alert Originator Service Stack Overflow Vulnerability
Intel Alert Originator Service Buffer Overflow Vulnerabilities
Alert Management System Console Arbitrary Program Execution Design Error Vulnerability
REPORTING VULNERABILITIES TO SYMANTEC
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines
Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers’ data. Symantec is committed to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle (SDLC)
practice applicable to Symantec’s product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process.
Please contact firstname.lastname@example.org
if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com
The Symantec Software Security PGP key can be found at the following location:
COPYRIGHT (C) BY SYMANTEC CORP.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org