Search This Blog

Thursday, October 06, 2005

[NT] Symantec AntiVirus Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Symantec AntiVirus Buffer Overflow
------------------------------------------------------------------------

SUMMARY


<http://enterprisesecurity.symantec.com/products/products.cfm?productid=173> Symantec Scan Engine is a "fast, scalable, and reliable content scanning services and API to protect against viruses and other unwanted content."

A buffer overflow in Symantec AntiVirus Scan Engine allows attackers to
cause the program to execute arbitrary code.

DETAILS

Vulnerable Systems:
* Symantec AntiVirus Scan Engine version 4.0
* Symantec AntiVirus Scan Engine version 4.3
* Symantec AntiVirus for Microsoft ISA Server 2000 version 4.0
* Symantec AntiVirus for Microsoft ISA Server 2000 version 4.3
* Symantec AntiVirus for Netapp Filer version 4.0
* Symantec AntiVirus for Messaging version 4.3
* Symantec AntiVirus for Netapp NetCache version 4.0
* Symantec AntiVirus for Network Attached Storage version 4.0
* Symantec AntiVirus for Bluecoat version 4.0
* Symantec AntiVirus for Caching version 4.3
* Symantec AntiVirus for Microsoft SharePoint version 4.3
* Symantec AntiVirus for Clearswirt version 4.0
* Symantec AntiVirus for Clearswift version 4.3

Immune Systems:
* Symantec AntiVirus Scan Engine version 4.1

The vulnerability specifically exists due to insufficient input validation
of HTTP Headers. A remote attacker can send a specially crafted HTTP
request to the administrative Scan Engine Web Service on port 8004 to
crash the service or execute arbitrary code. Due to improper use of
signed integer value types, a negative value can be supplied by a
connecting client, which will interpret the value as a very large number
and later use the value as an argument to a memory copy operation. An
overly long copy will occur resulting in a heap overflow. Remote attackers
can supply carefully crafted HTTP requests to trigger the heap overflow
and execute arbitrary code.

Successful exploitation of the vulnerability can result in remote code
execution with SYSTEM privileges. Exploitation of the vulnerability does
not require credentials or any other element in the attack other than
being able to send a HTTP request to TCP port 8001 on the vulnerable
server. It is recommended to apply the vendor-supplied workaround or
upgrade to the latest available version of the software.

Workaround:
The vendor has supplied the following workaround solution:

"Default installation instructions state that, for security reasons,
customers should access the administrative interface using a switch or via
a secure segment of the network. The Symantec AntiVirus Scan Engine
Administration default port, 8004/tcp, should be locked down for trusted
internal access only. This port can be changed, as it might conflict with
existing applications in the environment. But whatever port is used for
the user-interface, it should never be visible external to the network
which greatly reduces opportunities for unauthorized access. A customer
may choose to completely disable the Symantec AntiVirus Scan Engine's
user-interface once it has been satisfactorily configured.

* To disable the user interface, set the port to "0" in the
user-interface and restart the Symantec AntiVirus Scan Engine.
* To re-enable the user-interface, edit the Symantec AntiVirus Scan
Engine configuration file, set the port back to 8004/tcp, or the
applicable user-configured port, and restart the Symantec AntiVirus Scan
Engine."

Vendor Response:
"Symantec Engineers have verified this issue and made security updates
available for the Symantec AntiVirus Scan Engine. Symantec strongly
recommends all customers immediately apply the latest updates for their
supported product versions to protect against these types of threats.
Symantec is unaware of any adverse customer impact from this issue."

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2758>
CAN-2005-2758

Disclosure Timeline:
08/31/2005 - Initial vendor notification
08/31/2005 - Initial vendor response
10/04/2005 - Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:labs-no-reply@idefense.com>
iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=314&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=314&type=vulnerabilities
The vendor advisory can be found at:
<http://www.symantec.com/avcenter/security/Content/2005.10.04.html>
http://www.symantec.com/avcenter/security/Content/2005.10.04.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)