1. Symantec/
  2. Security Response/
  3. Security Updates Detail

Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Multiple Parsing Vulnerabilities

SYM16-010

June 28, 2016

Revisions


7/15/2016


  • Additional updates to affected products table for SEP SBE


6/29/2016


  • Protection signatures added to Symantec Response section

  • Changes to the affected products tables.



Severity (CVSS v2 and CVSS v3)


CVSS


Base Score


CVSS Vector


RAR decompression memory access violation - High


v2 7.8


AV:N/AC:L/Au:N/C:N/I:N/A:C


v3 7.5


AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Dec2SS buffer overflow - High


v2 9.0


AV:N/AC:L/Au:N/C:P/I:P/A:C


v3 8.6


AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H


Dec2LHA buffer overflow - High


v2 9.0


AV:N/AC:L/Au:N/C:P/I:P/A:C


v3 8.6


AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H


CAB decompression memory corruption - High


v2 7.8


AV:N/AC:L/Au:N/C:N/I:N/A:C


v3 7.5


AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


MIME message modification memory corruption - High


v2 7.8


AV:N/AC:L/Au:N/C:N/I:N/A:C


v3 7.5


AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


TNEF integer overflow - Low


0.0


AV:N/AC:L/Au:N/C:N/I:N/A:N


ZIP decompression memory access violation - High


v2 7.8


AV:N/AC:L/Au:N/C:N/I:N/A:C


v3 7.5


AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H



Overview


Symantec is aware of buffer overflow and memory corruption findings in the AntiVirus Decomposer engine used in various configurations by multiple Symantec products.


FAQ on Impact to Symantec Products:
https://support.symantec.com/en_US/article.INFO3807.html


Affected Enterprise Products


Product


Version


Solution(s)


Advanced Threat Protection (ATP)


2.0.3 and prior

Updated via definition updates


Symantec Data Center Security:Server (SDCS:S)


6.0
6.0MP1
6.5
6.5MP1
6.6
6.6MP1


Updated via definition updates


Symantec Web Security .Cloud



Updated via hosted software update, customer interface not required


Email Security Server .Cloud (ESS)


Updated via hosted software update, customer interface not required


Symantec Web Gateway


Updated via definition updates


Symantec Endpoint Protection (SEP)


12.1.6 MP4 and prior


Update to SEP 12.1 RU6 MP5
https://support.symantec.com/en_US/article.TECH103088.html


Symantec Endpoint Protection for Mac (SEP for Mac)


12.1.6 MP4 and prior


Updated via definition updates


Symantec Endpoint Protection for Linux (SEP for Linux)


12.1.6 MP4 and prior


Update to SEP for Linux


12.1 RU6 MP5
https://support.symantec.com/en_US/article.TECH103088.html


Symantec End Point Protection, Small Business Enterprise (SEP SBE) Desktop and Laptop (Hosted)


Cloud Agent: 2.03.71.2618 and prior
Protection Agent: NIS-22.5.4 and prior


Cloud Agent: 3.00.00.2701
Protection Agent: Automatic software update to NIS-22.6.4 available (Follow instructions in this support article)


SEP SBE for Server


Cloud Agent: 2.03.71.2618 and prior
Protection Agent: SEP-12.1.4013.4013 and prior


Cloud Agent: 3.00.00.2701
Protection Agent: Software update to SEP-12.1.7004.6500 available (Follow instructions in this support article to complete the update)


SEP SBE for Mac


Protection Updates prior to July 13, 2016


Updated via definition updates July 13, 2016 or later


Symantec Endpoint Protection Small Business Edition 12.1 (On-Premises) End of Life product


12.1.5 and prior


Follow instructions in this support article


Symantec Protection Engine (SPE)


7.0.5 and prior


Update to SPE 7.0.5 HF01
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3791.html


7.5.4 and prior


SPE 7.5.4 (AWS platform) should update to SPE 7.5.4 HF01
SPE 7.5.3 and prior should Update to SPE 7.5.3 HF03
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3791.html


7.8.0


Update to SPE 7.8.0 HF01
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3791.html


Symantec Protection for SharePoint Servers (SPSS)


6.03 to 6.05


Update to Hotfix:
SPSS_6.0.3_To_6.0.5_HF_1.5
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3795.html


6.0.6 and prior


Update to Hotfix:
SPSS_6.0.6_HF_1.6
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3795.html


Symantec Mail Security for Microsoft Exchange (SMSMSE)


6.5.8


Update to Hotfix:
SMSMSE_6.5.8_3968140_HF1.3
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3794.html


7.0.4 and prior


Update to Hotfix:
SMSMSE_7.0_3966002_HF1.1
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3794.html


7.5.4 and prior


Update to Hotfix:
SMSMSE_7.5_3966008_VHF1.2
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3794.html


Symantec Mail Security for Domino (SMSDOM)


8.0.9 and prior


Update to Hotfix:
SMSDOM_8.0.9_HF1.1
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3793.html


8.1.3 and prior


Update to Hotfix:
SMSDOM_8.1.3_HF1.2
For more details please refer the KB link:
https://support.symantec.com/en_US/article.INFO3793.html


CSAPI


10.0.4 and prior


Update to CSAPI 10.0.4 HF01


Symantec Message Gateway (SMG)


SMG 10.6.1-3 and prior


Update to SMG 10.6.1-4


Symantec Message Gateway for Service Providers (SMG-SP)


10.6


SMG-SP 10.6, patch 253


10.5


SMG-SP 10.5, patch 254



Affected Norton Products


Norton Product Family


All Prior to NGC 22.7


Updated through LiveUpdateTM


Norton AntiVirus


Norton Security


Norton Security with Backup


Norton Internet Security


Norton 360


Norton Security for Mac


All Prior to 13.0.2


Updated through LiveUpdateTM


Norton Power Eraser (NPE)


All Prior to 5.1


Updated through LiveUpdateTM


Norton Bootable Removal Tool (NBRT)


All Prior to 2016.1


New Release available on Download



Details


Parsing of maliciously-formatted container files may cause memory corruption, integer overflow or buffer overflow in Symantecs Decomposer engine. Successful exploitation of these vulnerabilities typically results in an application-level denial of service but could result in arbitrary code execution. An attacker could potentially run arbitrary code by sending a specially crafted file to a user.


In the TNEF unpacker, the overflow does not result in any detrimental actions due to underlying code. However this was an exposure due to improper implementation that could potentially be leveraged further, at some point, by a malicious individual. As such, it also was addressed in the engine update.


Symantec Response
Symantec has verified these issues and addressed them in product updates as identified in the solution portion of the affected products matrix above. We have also added additional checks to our Secure Development LifeCycle to mitigate similar issues in future.


Symantec is not aware of these vulnerabilities being exploited in the wild.


To fully mitigate the identified vulnerabilities, Symantec recommends applying the required patches to the affected products as soon as possible. This is the only means to ensure that installed products cannot be exploited. Symantec has released the following list of AV signatures in an effort to block/detect attempts at exploitation.

Vulnerabilities

Signatures

LiveUpdate rev.

RAR decompression memory access violation

EXP.CVE-2016-2207

20160628.037

Dec2SS buffer overflow

EXP.CVE-2016-2209

20160628.037

Dec2LHA buffer overflow

EXP.CVE-2016-2210

20160628.037

CAB decompression memory corruption

EXP.CVE-2016-2211

20160628.037

MIME message modification memory corruption

EXP.CVE-2016-3644

20160628.037

TNEF integer overflow

EXP.CVE-2016-3645

20160628.037

ZIP decompression memory access violation

EXP.CVE-2016-3646

20160628.037


Update Information
All Norton products have been updated through LiveUpdateTM. Customers of Symantec Enterprise products should check the chart below to determine which products have been updated automatically and which require product updates.


Identifying Product Update:


Product


Identifying Product Update


Advanced Threat Protection (ATP)


For an appliance which role is Network Scanner, ensure Latest Definition Updates Applied

Login to ATP web ui > Setting > Appliance > choose appliance which has 'Scanner' role

1) 'SCANNING' field is shown as 'Enabled'
2) 'AV ENGINE' field is observed with a definition revision number 20160628.037 or greater


Symantec Web Security (SWS)


Ensure Latest Definition Updates Applied


Symantec Data Center Security:Server (SDCS:S)


Ensure Latest Definition Updates Applied


Symantec Endpoint Protection (SEP)


Symantec Endpoint Protection for Linux (SEP for Linux)


all platforms - Help -> About will reflect the MP5 release version which will be at least 12.1.7004.6500


Symantec Endpoint Protection for Mac (SEP for Mac)


Apply definitions dated June 28th, 2016 rev. 37 or later.

https://support.symantec.com/en_US/article.TECH235207.html


Symantec Protection Engine (SPE)


Support will provide notification regarding location, deployment and verification steps


https://support.symantec.com/en_US/article.INFO3791.html


Symantec Protection for SharePoint Servers (SPSS)


Support will provide notification regarding location, deployment and verification steps


https://support.symantec.com/en_US/article.INFO3795.html


Symantec Mail Security for Microsoft Exchange (SMSMSE)


Support will provide notification regarding location, deployment and verification steps


https://support.symantec.com/en_US/article.INFO3794.html


Symantec Mail Security for Domino (SMSDOM)


Support will provide notification regarding location, deployment and verification steps


https://support.symantec.com/en_US/article.INFO3793.html


CSAPI


Support will provide notification regarding location, deployment and verification steps


Symantec Message Gateway (SMG)


Current installed version should be 10.6.1-4


Symantec Message Gateway for Service Providers (SMG-SP)


Ensure installed version of updated binary files have the same checksum specified in the patch release notes



NOTE: If you require additional information on how to update your Symantec product, see https://support.symantec.com/en_US/article.TECH125408.html


Norton Family:


Product update is delivered via LiveUpdateTM. LiveUpdateTM runs automatically at regular intervals or users can run an interactive LiveUpdateTM.


To perform LiveUpdateTM interactively, users should:


  • Access LiveUpdateTM in the product

  • Run LiveUpdateTM until all available updates are downloaded and installed



The Help -> About Box in the product UI will show the version 22.7.0.x if the update has been successfully applied.


Best Practices


As part of normal best practices, Symantec strongly recommends the following:


  • Restrict access to administrative or management systems to authorized privileged users.

  • Restrict remote access, if required, to trusted/authorized systems only.

  • Run under the principle of least privilege where possible to limit the impact of potential exploit.

  • Keep all operating systems and applications current with vendor patches.

  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.

  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.


Credit
Symantec would like to thank Tavis Ormandy with Google's Project Zero, for reporting these to us and working closely with us as we addressed the issues.


References


BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database.


CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.


CVE


BID


Description


CVE-2016-2207


91434


RAR decompression memory access violation


CVE-2016-2209


91436


Dec2SS buffer overflow


CVE-2016-2210


91437


Dec2LHA buffer overflow


CVE-2016-2211


91438


CAB decompression memory corruption


CVE-2016-3644


91431


MIME message modification memory corruption


CVE-2016-3645


91439


TNEF integer overflow


CVE-2016 -3646


91435


ZIP decompression memory access violation




REPORTING VULNERABILITIES TO SYMANTEC

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Symantec has developed a Software Security Vulnerability Management Process document outlining the process we follow in addressing suspected vulnerabilities in our products.
Symantec Corporation firmly believes in a proactive approach to secure software development and implements security review into various stages of the software development process. Additionally, Symantec is committed to the security of its products and services as well as to its customers’ data. Symantec is committed to continually improving its software security process.
This document provides an overview of the current Secure Development Lifecycle (SDLC) practice applicable to Symantec’s product and service teams as well as other software security related activities and policies used by such teams. This document is intended as a summary and does not represent a comprehensive list of security testing and practices conducted by Symantec in the software development process.
Please contact secure@symantec.com if you believe you have discovered a security issue in a Symantec product. A member of the Symantec Software Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Software Security PGP key can be found at the following location:
COPYRIGHT (C) BY SYMANTEC CORP.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Software Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Last modified on: June 28, 2016
Security Response Blog
The State of Spam