Symantec Products Affected by Multiple "as Bad as It Gets" Vulnerabilities

[Batu69]

Some bugs are wormable and affect a large number of products

   Symantec's heuristics engine is the source of some issues

 

Tavis Ormandy, a member of Google's Project Zero initiative, has discovered a series of vulnerabilities in Symantec's security products. Due to the nature of these flaws, they affect a large number of Symantec products, and not all can be patched via automatic updates.

"These vulnerabilities are as bad as it gets," Ormandy writes on Google's blog. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

The vulnerable code to which Ormandy is referring is part of ASPack, a commercial packing software piece that Symantec uses to analyze files scanned for malware.

Running code in the kernel is always a bad idea

Ormandy says that Symantec's mistake was to run this component in the operating system's kernel, under the highest privilege available. A vulnerability in this component gives the attacker a golden ticket to full control over the system, without the need for a second-stage exploit to escalate their access.

Besides this main issue, CVE-2016-2208, the researcher also claims he found multiple stack buffer overflows and memory corruption issues.

The researcher also discovered that Symantec had used open source libraries in its products, such as libmspack and unrarsrc, but forgot to update them for the past seven years. An attacker would only need to employ one of the publicly known issues for these tools.

Exploitation is trivial, bugs affect multiple products, on all platforms

Exploitation of some of these issues is trivial, according to Ormandy, who says that some don't require user interaction, and some are even wormable, being able to spread to other nearby devices on their own.

An attacker would only need to send an email to the target containing a malicious file that exploits one of these issues. Additionally, the attacker could host their exploit code online and embed a link to the malicious URL inside the email.

The list of affected products includes a large number of older, legacy Norton products, Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine, Symantec Protection for SharePoint Servers, and many other more. In all cases, the vulnerabilities are cross-platform. Symantec has released patches for all affected products.

In May, Ormandy helped Symantec plug another security hole in its product. Besides Symantec, in the past, the researcher found bugs in the software of security vendors such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG.

Article source

[TheMountain]

"Besides Symantec, in the past, the researcher found bugs in the software of security vendors such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG."

 

This is one of many reasons why I don't use real-time AV protection. 

 

The cure is worst than the disease. 

 

[humble3d]

Symantec and Norton Security Products Contain Critical

Vulnerabilities  Alert (TA16-187A)

 

Symantec and Norton Security Products Contain Critical

Vulnerabilities

Original release date: July 05, 2016

 

Systems Affected

 

All Symantec and Norton branded antivirus products

 

Overview

 

Symantec and Norton branded antivirus products contain

multiple vulnerabilities. Some of these products are

in widespread use throughout government and industry.

 

Exploitation of these vulnerabilities could allow a

remote attacker to take control of an affected system.

Description

 

The vulnerabilities are listed below:

CVE-2016-2207
Symantec Antivirus multiple remote memory corruption

unpacking RAR [1]

CVE-2016-2208

Symantec antivirus products use common unpackers to

extract malware binaries when scanning a system. A

heap overflow vulnerability in the ASPack unpacker

could allow an unauthenticated remote attacker to gain

root privileges on Linux or OSX platforms.

 

 

The vulnerability can be triggered remotely using a

malicious file (via email or link) with no user

interaction. [2

CVE-2016-2209

Symantec: PowerPoint misaligned stream-cache remote

stack buffer overflow [3]

 

CVE-2016-2210
Symantec: Remote Stack Buffer Overflow in dec2lha

library [4]         

 

CVE-2016-2211
Symantec: Symantec Antivirus multiple remote memory

corruption unpacking MSPACK Archives [5]

CVE-2016-3644

Symantec: Heap overflow modifying MIME messages [6]    

 
CVE-2016-3645
Symantec: Integer Overflow in TNEF decoder [7]       

CVE-2016 -3646

Symantec: missing bounds checks in dec2zip

ALPkOldFormatDecompressor::UnShrink [8]
 
Impact

The large number of products affected (24 products),

across multiple platforms (OSX, Windows, and Linux),

and the severity of these vulnerabilities (remote code

execution at root or SYSTEM privilege) make this a

very serious event.

 

 

A remote, unauthenticated attacker

may be able to run arbitrary code at root or SYSTEM

privileges by taking advantage of these

vulnerabilities.

 

 

Some of the vulnerabilities require

no user interaction and are network-aware, which could

result in a wormable-event.

 

Solution

Symantec has provided patches or hotfixes to these

vulnerabilities in their SYM16-008 [9 (link is

external)] and SYM16-010 [10 (link is external)]

security advisories.

 

US-CERT encourages users and network administrators to

patch Symantec or Norton antivirus products

immediately.

 

 

While there has been no evidence of

exploitation, the ease of attack, widespread nature of

the products, and severity of the exploit may make

this vulnerability a popular target.

 

References
[1] Symantec Antivirus multiple remote memory

corruption unpacking RAR
[2] How to Compromise the Enterprise Endpoint (link is

external)
[3] Symantec: PowerPoint misaligned stream-cache

remote stack buffer overflow
[4] Symantec: Remote Stack Buffer Overflow in dec2lha

library
[5] Symantec: Symantec Antivirus multiple remote

memory corruption unpacking MSPACK Archives
[6] Symantec: Heap overflow modifying MIME messages
[7] Symantec: Integer Overflow in TNEF decoder
[8] Symantec: missing bounds checks in dec2zip

ALPkOldFormatDecompressor::UnShrink
[9] Symantec SYM16-008 security advisory (link is

external)
[10] Symantec SYM16-010 security advisory (link is

external)

Revisions

July 5, 2016: Initial Release

 

https://www.us-cert.gov/ncas/alerts/TA16-187A

 

[Batu69]

Thread has been merged.