1. /
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Multi-Vendor Autonomy Verity Keyview Filter Multiple Issues

SYM11-013

October 6, 2011

Revision History
None

Severity

Medium to High (based on the CVSS2 scoring below)

High
CVSS V2 9.33 (for SMSME and SMSDOM, running the Autonomy Verity Keyview Filter in-process or out-of-process with application-level privileges.)

Impact: 10 Exploitability 8.588

CVSS V2 Vector AV: N/AC: M/Au: N/C:C/I:C/A:C

Medium

CVSS  V2  4.3 (for SBG/SMG and DLP,  running the Autonomy Verity Keyview Filter out-of-process with least privileges.)

Impact: 2.862 Exploitability: 8.588

CVSS V2 Vector AV:N/AC:M/Au:N/C:N/I:N/A:P

Overview
Multiple sources have identified several security issues in Autonomy’s Verity Keyview Content Filter libraries.  Symantec has updated the Keyview modules being shipped with Symantec products to address these issues.

Affected Products

Product

Version

Build

Solution(s)

Symantec Mail Security for Microsoft Exchange (SMSMSE)

6.x

All

 SMSMSE 6.5.6 or SMSMSE 6.0.13  (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Mail Security for Domino (SMSDOM)

8.x

All

SMSDOM 8.0.9  (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Mail Security for Domino

7.5.x

All

SMSDOM 7.5.12 (see mitigation workarounds below to disable content filtering as an interim) 

Symantec Brightmail and Messaging Gateway (SBG/SMG)

9.5 and earlier

All

 

Symantec Messaging Gateway 9.5.1

Symantec Data Loss Prevention(DLP) Enforce/Detection Servers for Windows

10.x and earlier

All

Symantec DLP 11.1.1 for Windows

Symantec Data Loss Prevention Enforce/Detection Servers for Linux

10.x and earlier

All

Symantec DLP 11.1.1 for Linux

Symantec Data Loss Prevention Endpoint Agents

10.x and earlier

All

Symantec DLP 11.1.1 Agent

Symantec Data Loss Prevention Enforce/Detection Servers for Windows

11.x

All

Symantec DLP 11.1.1 for Windows

Symantec Data Loss Prevention Enforce/Detection Servers for Linux

11.x

All

Symantec DLP 11.1.1 for Linux

Symantec Data Loss Prevention Endpoint Agents

11.x

All

Symantec DLP 11.1.1 Agent

 

NOTE:  Disabling content filtering as described in the mitigation section below does NOT interfere with the primary functionality of Symantec’s products, e.g., anti-virus or anti-spam.

Details
Symantec was notified of multiple security issues to include possible denial of service process crash and potential code execution vulnerabilities identified in several of the file parsing libraries in the Autonomy Verity Keyview Filter shipped with the Symantec products identified above.  These vulnerabilities can potentially be targeted during the content filtering process run against maliciously formatted incoming files.

 Attempted exploitation results, depending on the product involved in the processing, range from no impact to a crash of the child process with negligible impact, an application crash or, in specific instances, potential elevated privilege application compromise.

Symantec Response
Symantec product engineers worked closely with Autonomy to obtain and provide updates to address all issues.

Symantec Mail Security for Microsoft Exchange runs the Verity Filter as part of the application process. A successful exploitation attempt could potentially result in a denial of service application crash or possibly a privilege compromise in the context of the application. 

Symantec Mail Security for Domino runs the Verity Filter out-of-process by default preventing attack attempts from crashing the application.  However, the process runs in the context of the application which could potentially allow a possible privileged application compromise from a successful exploit attempt.  

Customers running Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino should update to the non-vulnerable versions identified above or disable content filtering by following the mitigation workarounds described below until updates can be obtained and deployed.

In the Symantec BrightMail/Messaging Gateway and Symantec Data Loss Prevention products, the Autonomy Verity KeyView content filtering process has been separated from the Symantec applications (out-of-process) and runs with least privilege. This out-of-process method specifically addresses these types of security concerns.

Any attempt to exploit these issues results in process termination of the offending thread and an error message generated to and handled by the specific application(s). However, non-vulnerable versions of the Verity Filter have been updated and made available to customers. Customers may still disable content filtering through the temporary mitigation workarounds described below until updates can be obtained and deployed.

Symantec knows of no exploitation of or adverse customer impact from these issues.

Update Information

Updates will be available through customers’ normal support/download locations.


SMS for Domino and Microsoft Exchange updates will be available through the Platinum Support Web Site for Platinum customers or through the FileConnect -Electronic Software Distribution web site.

Symantec DLP updates will be available for download through secure file exchange.

Workaround/Mitigations

Temporary Workaround to disable content filtering in Symantec Mail Security for Microsoft Exchange
Installations of SMS for Microsoft Exchange that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may fully disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

  • To disable the content filtering rules for SMS for Microsoft Exchange:
  • Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules
  • Ensure that all rules using attachment content are "disabled"

Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:

  • Go to the Verity bin folder of the product installation, e.g. SMSMSE -> Verity -> bin
  • Locate the affected binary, e.g. lzhsr.dll
  • Rename the binary, e.g. lzhsr_disabled.dll.
  • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

Temporary Workaround to disable content filtering in Symantec Mail Security for Domino
Installations of SMS for Domino that do not utilize the Content Filtering capabilities of the product are not susceptible to this issue. SMS for Domino would be susceptible only if the attachment content scanning option is enabled.

As an interim workaround, administrators may disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until an updated release is installed.

To disable content filtering rules for Symantec Mail Security for Domino

  • Select the "Content Filtering" tab to display the list of current enabled rules
  • Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red "X" disabling the rule

Or, Instead of disabling content filtering altogether, the administrator can rename only the affected readers until updates can be installed:

  • Go to the Verity  bin folder of the product installation, e.g. SMSDOM -> Server -> Verity -> bin
  • Locate the affected binary, e.g. lzhsr.dll
  • Rename the binary, e.g. lzhsr_disabled.dll.
  • Content filtering will now NOT be performed for those attachments previously read by the affected reader(s).

Temporary Workaround to disable content filtering in Symantec Brightmail Gateway or Symantec Messaging Gateway
Risk from these issues are limited on installations of Symantec Brightmail or Symantec Messaging
Gateway in which the attachment content scanning option is enabled.  However, installations that do not utilize the Content Filtering capabilities of the product are not affected by these issues.

As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for either Symantec Brightmail Gateway or Symantec Messaging Gateway:

  • Log into the management console and navigate to the SMTP Scanning Settings screen
  • Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving
  • Disable any Compliance policies with a condition:
    • "If any part of the message matches" (or "does not match") a regular expression, pattern or Record Resource.
    • "If text in Attachment content part of the message . . . "

Best Practices
As part of normal best practices, Symantec strongly recommends:

  • Restrict access to administration or management systems to privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Run under the principle of least privilege where possible to limit the impact of exploit by threats.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

Credit
Will Dormann and Jared Allar with CERT/CC identified multiple issues in the Autonomy Keyview module.  Additional issues in the Autonomy Keyview module were identified by Secunia Research, Binaryhouse.net working through iDefense Labs and Core Technologies.


Reference
BID: Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID) to these issues for inclusion in the Security Focus vulnerability database. BIDs have been assigned as indicated below
CVE: These issues are a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE IDs as indicated below.

 

CVE ID Assigned

File Type / KV component

Credited To

BID

CVE-2011-1512

Excel Doc/xsslr

CoreLabs Research

BID 48017

CVE-2011-1213

Excel Doc/xsslr

CoreLabs Research

BID 48018

CVE-2011-1214

LZH Archive/lzhsr

Binaryhouse.net working through iDefense Labs

BID 48019

CVE-2011-1215

RTF attach/rtfsr

Binaryhouse.net working through iDefense Labs

BID 48020

CVE-2011-1216

Applix Spreadsheet/assr

Binaryhouse.net working through iDefense Labs

BID 48021

CVE-2011-1218

Zip File Viewer/kvarcve

Binaryhouse.net working through iDefense Labs

BID 48016

CVE-2011-0337

Ichitaro Speed Reader doc/ jtdsr

Secunia Research

BID 49898

CVE-2011-0338 

Ichitaro Speed Reader doc/jtdsr

Secunia Research

BID49899

CVE-2011-0339

Ichitaro Speed Reader doc/jtdsr

Secunia Research

BID49900

 

Multiple File Types

CERT.org

 

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS Signature naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information.
Last modified on: October 6, 2011
Security Response Blog
The State of Spam