MS-ISAC ADVISORY NUMBER:
2009-023

DATE(S) ISSUED:
4/29/2009

SUBJECT:
Multiple Vulnerabilities in Symantec Products Could Allow For Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been identified within various Symantec security products which could allow a remote attacker to take complete control of an affected system without any user interaction. Symantec's suite of security products includes network devices and consumer software that are used by both enterprise and home level users.

It should be noted that exploit code is not publicly available for any of these vulnerabilities.

SYSTEMS AFFECTED:

  • Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier
  • Symantec AntiVirus Corporate Edition 10.0
  • Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier
  • Symantec AntiVirus Corporate Edition 10.2 MR1 and earlier
  • Symantec Client Security 2.0 MR6 and earlier
  • Symantec Client Security 3.0
  • Symantec Client Security 3.1 MR7 and earlier
  • Symantec Endpoint Protection 11.0 MR2 and earlier
  • Norton 360 1.0
  • Norton Internet Security 2005 through 2008
  • Symantec Antivirus 10.1 MR7 and earlier

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Four of the five vulnerabilities discovered in various Symantec security products could allow for remote code execution.

Four of these vulnerabilities affect Symantec Alert Management System 2 (AMS2). AMS2 is an optional component for a number of Symantec security products. This component listens for specific security-related events on a computer network and sends notifications as specified by the administrator.

  • The Intel LANDesk Common Base Agent (CBA) component of AMS2 is prone to a vulnerability that attackers can leverage to execute arbitrary commands. This issue occurs because the software fails to sufficiently sanitize user-supplied data submitted as a TCP packet on port 12174 before passing it as a parameter to a 'CreateProcessA()' function call.
  • The Intel File Transfer service (XFR.EXE) component of the AMS2 Console is prone to a vulnerability that attackers can leverage to execute arbitrary code. An attacker able to establish a TCP connection to the affected process can exploit this issue to execute arbitrary code hosted on remote fileshares or WebDav (Web-based Distributed Authoring and Versioning) servers.
  • The Intel Alert Originator Service component of AMS2 is prone to a stack-based buffer-overflow vulnerability. This issue affects the 'IAO.exe' process and is triggered when processing a malformed packet. By default, the vulnerable service listens on TCP port 38292.
  • The Intel Alert Originator Service component of AMS2 is prone to multiple stack-based buffer-overflow vulnerabilities. Specifically, these issues occur because the 'IAO.exe' process fails to sufficiently validate data received from the 'MsgSys.exe' process. By default, the affected service listens on TCP port 38292..

Successfully exploiting any of these vulnerabilities in AMS2 may allow an attacker to gain SYSTEM privileges, which could allow the attacker to gain complete control over the affected system without any user interaction.

An additional vulnerability affects Symantec's Log Viewer application ('ccLgView.exe') which is prone to two parsing issues that attackers can trigger by sending a specially crafted email containing HTML and script code. These scripts could be executed via the 'View Logs - Email Filtering' option. An attacker could exploit the Symantec Log Viewer vulnerability by supplying HTML code that could run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Symantec to vulnerable systems immediately after appropriate testing.
  • Do not open email from unknown or un-trusted sources.
  • Block un-trusted incoming traffic from the Internet at your network perimeter.

REFERENCES:

Symantec:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02(New Window)
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_01(New Window)

Security Focus:
http://www.securityfocus.com/bid/34669(New Window)
http://www.securityfocus.com/bid/34671(New Window)
http://www.securityfocus.com/bid/35672(New Window)
http://www.securityfocus.com/bid/34674(New Window)
http://www.securityfocus.com/bid/34675(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1428(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1429(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1430(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1431(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.