SYM07-019
July 11, 2007
Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass

Revision History
Removed invalid CVE information
Added missing product information
Updated Symantec AntiVirus Corporate addition version information
Added information and link to new update tool for Symantec AntiVirus and Symantec Client Security
Updated Symantec Gateway Security version and update information

Risk Impact
High

Remote AccessYes
Local AccessNo
Authentication RequiredNo
Exploit publicly availableNo

Overview
Two vulnerabilities have been identified in the Symantec Decomposer component used to decompose some types of archive content while scanning for malicious content.

Affected Enterprise Products
ProductVersionBuildsUpdate To
Symantec Mail Security 8200 All 5.0.0.24
Symantec Mail Security for Microsoft Exchange 4.6.7 and earlier All 4.6.8.120
5.0.4.and earlier All 5.0.5 and higher
6.0.0 All 6.0.1 or later
Symantec Mail Security for Domino NT 4.1.5 and earlier All 4.1.9.37
5.1.2.28 and earlier All 5.1.4.32
Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) 3.0.12 and earlier All 3.2.2.27 †
Symantec Scan Engine 5.0.1 and earlier All 5.1.4.24
Symantec AntiVirus Scan Engine 4.1.8 and earlier All 4.3.18.43
4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for MS ISA 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for MS Sharepoint 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for Messaging 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus for Network Attached Storage 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for Clearswift 4.3.12 and earlier All 4.3.17 or later
Symantec AntiVirus Scan Engine for Caching 4.3.12 and earlier All 4.3.17 or later
Symantec Client Security ††† 3.X All SCS 3.1 MR5 MP1 (build 3.1.5.5010)††
2.X All SCS 2.0 MR6-MP1 (build 2.0.6.1100)††
1.X All
Symantec Web Security 3.0.1.76 and earlier All 3.0.1.85
Symantec Gateway Security 1600 Series 3.0.1 All Update F Apply Hotfix SGS1600-3.0.1-enga2007080100
Symantec Gateway Security 5000 Series 3.0.1 All Update F Apply Hotfix SGS5000-3.0.1-enga2007080100
Symantec Gateway Security 5400 Series 2.0.1 All Upgrade to 3.0.1 F Apply SGS5000-3.0.1-enga2007080100
Symantec Brightmail AntiSpam 6.0.x All 6.05
5.5 All
4.x All
Symantec AntiVirus Corporate Edition ††† 10.X All SAV 10.1 MR5 MP1 (build 10.1.5.5010)††
9.X All SAV 9.0 MR6-MP1 (build 9.0.6.1100) ††
8.X All
Symantec AntiVirus for Macintosh 10.X All Update to any definition after 10/1/2006
Symantec Web Security for Microsoft ISA 2004 5.0 All 5.0.3
Symantec Mail Security for SMTP 5.0.0 Solaris All Patch 175
5.0.0 Linux All Patch 175
5.0.0 Windows All Patch 176
5.0.1 All Patch 181
4.1.15 and earlier All 4.1.16

† Symantec AntiVirus/Filtering for Domino MPE is no longer supported. Customers are encouraged to upgrade to Symantec Mail Security for Domino MPE

†† Customers using the SAV CE Linux client should upgrade to version 1.0.2-75. This build is available by downloading the latest SAV CE 10.X or SCS 3.X build from FileConnect.

†††Symantec has released a tool that will update the decomposer engine in Symantec AntiVirus Corporate Edition and Symantec Client Security

For more information and to download the tool, please read the following document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071111591448

Affected Consumer Products
ProductVersionBuildsUpdate To
Norton AntiVirus 2006 All Run LiveUpdate in Interactive Mode
2005 All Run LiveUpdate in Interactive Mode
2004 All Run LiveUpdate in Interactive Mode
Norton Internet Security 2006 All Run LiveUpdate in Interactive Mode
2005.5 AntiSpyware Edition All Run LiveUpdate in Interactive Mode
2005 All Run LiveUpdate in Interactive Mode
2004 All Run LiveUpdate in Interactive Mode
Norton SystemWorks 2006 All Run LiveUpdate in Interactive Mode
2005 All Run LiveUpdate in Interactive Mode
2004 All Run LiveUpdate in Interactive Mode
Norton Personal Firewall 2006 All Run LiveUpdate in Interactive Mode
Norton AntiVirus for Macintosh 10.X All Update to any definition after 10/1/2006
9.X All
Norton Internet Security for Macintosh 3.X All Update to any definition after 10/1/2006
Norton SystemWorks for Macintosh 3.X All Update to any definition after 10/1/2006

Products Not Affected:
ProductVersionBuilds
Symantec AntiVirus for HandHelds - Corporate Edition All All
Symantec AntiVirus for Handhelds All All
Symantec Client Security for Nokia All All
Symantec Enterprise Firewall 8.0 All
Symantec Clientless VPN Gateway 4400 Series 5.0 All
Symantec Firewall / VPN Appliance 100/200 All
Symantec Gateway Security 300/400 Series 2.0 All
Norton AntiVirus for Macintosh 7.X All
Norton AntiVirus for Macintosh 8.X All
Norton Internet Security for Macintosh 2.X All
Norton SystemWorks for Macintosh 2.X All
Norton360 All All
Symantec AntiVirus Corporate Edition 10.2 All
Norton AntiVirus 2007 All
Norton Internet Security 2007 All
Norton System works 2007 All

Details
The first vulnerability is related to the decomposition of RAR files. Modifying the RAR file header in a specific way, causes the decomposer to enter an infinite loop causing a Denial of Service.

The second vulnerability is related to the decomposition of CAB files. The Symantec Decomposer fails to perform proper bounds checks when copying from the CAB archive. This may result in the possibility of arbitary code execution on the vulnerable system.

NOTE:

  1. Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.

Symantec response
Symantec engineers have verified and corrected these issues in all currently supported products. Updates are available for supported products. Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.

Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.

Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of (product/component). However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:

To perform a manual update using Symantec LiveUpdate, users should:

To date, Symantec is not aware of any exploits for these issues.

Best Practices
As part of normal best practices, Symantec strongly recommends:

CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE-2007-3699 for the RAR issue and CVE-2007-0447 for the CAB file issue.

Credit
Symantec would like to thank 3COM, and the Zero Day Initiative for reporting these issues and providing full coordination while Symantec resolved them.


Initial Post on: Wednesday, 11-Jul-07 7:00:00
Last modified on: