Click for a hub of Extension resources related to the current COVID-19 situation.
COVID-19 Resources
Texas A&M AgriLife IT Security
Texas A&M AgriLife IT SecurityLatest IT news & tips to keep your computer safe

Vulnerability of Symantec Products

by Leave a Comment

May 8, 2009

>>> “Luevano, Ana” <ana.luevano@dir.state.tx.us> 5/8/2009 9:31 AM >>>

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY
ADVISORY

MS-ISAC ADVISORY NUMBER:
2009-023 Updated

DATE(S) ISSUED:
4/29/2009
5/8/2009 UPDATED

SUBJECT:
Multiple Vulnerabilities in Symantec Products Could Allow For Remote
Code Execution

ORIGINAL OVERVIEW:
Multiple vulnerabilities have been identified within various Symantec
security products which could allow a remote attacker to take complete
control of an affected system without any user interaction. Symantec’s
suite of security products includes network devices and consumer
software that are used by both enterprise and home level users.

It should be noted that exploit code is not publicly available for any
of these vulnerabilities.

UPDATED OVERVIEW:
Exploit code is now publicly available.

SYSTEMS AFFECTED:

* Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier

* Symantec AntiVirus Corporate Edition 10.0
* Symantec AntiVirus Corporate Edition 10.1 MR7 and
earlier
* Symantec AntiVirus Corporate Edition 10.2 MR1 and
earlier
* Symantec Client Security 2.0 MR6 and earlier
* Symantec Client Security 3.0
* Symantec Client Security 3.1 MR7 and earlier
* Symantec Endpoint Protection 11.0 MR2 and earlier
* Norton 360 1.0
* Norton Internet Security 2005 through 2008
* Symantec Antivirus 10.1 MR7 and earlier

RISK:

Government:

* Large and medium government entities: High
* Small government entities: High

Businesses:

* Large and medium business entities: High
* Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
Four of the five vulnerabilities discovered in various Symantec security
products could allow for remote code execution.

Four of these vulnerabilities affect Symantec Alert Management System 2
(AMS2). AMS2 is an optional component for a number of Symantec security
products. This component listens for specific security-related events on
a computer network and sends notifications as specified by the
administrator.

* The Intel LANDesk Common Base Agent (CBA) component of
AMS2 is prone to a vulnerability that attackers can leverage to execute
arbitrary commands. This issue occurs because the software fails to
sufficiently sanitize user-supplied data submitted as a TCP packet on
port 12174 before passing it as a parameter to a ‘CreateProcessA()’
function call.
* The Intel File Transfer service (XFR.EXE) component of
the AMS2 Console is prone to a vulnerability that attackers can leverage
to execute arbitrary code. An attacker able to establish a TCP
connection to the affected process can exploit this issue to execute
arbitrary code hosted on remote fileshares or WebDav (Web-based
Distributed Authoring and Versioning) servers.
* The Intel Alert Originator Service component of AMS2 is
prone to a stack-based buffer-overflow vulnerability. This issue affects
the ‘IAO.exe’ process and is triggered when processing a malformed
packet. By default, the vulnerable service listens on TCP port 38292.
* The Intel Alert Originator Service component of AMS2 is
prone to multiple stack-based buffer-overflow vulnerabilities.
Specifically, these issues occur because the ‘IAO.exe’ process fails to
sufficiently validate data received from the ‘MsgSys.exe’ process. By
default, the affected service listens on TCP port 38292.

Successfully exploiting any of these vulnerabilities in AMS2 may allow
an attacker to gain SYSTEM privileges, which could allow the attacker to
gain complete control over the affected system without any user
interaction.

An additional vulnerability affects Symantec’s Log Viewer application
(‘ccLgView.exe’) which is prone to two parsing issues that attackers can
trigger by sending a specially crafted email containing HTML and script
code. These scripts could be executed via the ‘View Logs – Email
Filtering’ option. An attacker could exploit the Symantec Log Viewer
vulnerability by supplying HTML code that could run in the context of
the affected browser, potentially allowing the attacker to steal
cookie-based authentication credentials. Other attacks may also be
possible.

UPDATED DESCRIPTION:
Exploit code is now publicly available.

RECOMMENDATIONS:
We recommend the following actions be taken:

* Apply appropriate patches provided by Symantec to
vulnerable systems immediately after appropriate testing.
* Do not open email from unknown or un-trusted sources.
* Block un-trusted incoming traffic from the Internet at
your network perimeter.

ORIGINAL REFERENCES:

Symantec:
http://www.symantec.com/business/security_response/securityupdates/detai
l.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=200904
28_02

http://www.symantec.com/business/security_response/securityupdates/detai
l.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=200904
28_01

Security Focus:
http://www.securityfocus.com/bid/34669

http://www.securityfocus.com/bid/34671

http://www.securityfocus.com/bid/35672

http://www.securityfocus.com/bid/34674 

http://www.securityfocus.com/bid/34675

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1428

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1429

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1430

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1431  

UPDATED REFERENCE:

Security Focus:
http://downloads.securityfocus.com/vulnerabilities/exploits/34671.rb
<http://downloads.securityfocus.com/vulnerabilities/exploits/34671.rb>