__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Symantec Client Firewall Remote Access Vulnerabilities [Symantec SYM04-008] May 14, 2004 19:00 GMT Number O-141 ______________________________________________________________________________ PROBLEM: Symantec has released fixes for 4 vulnerabilities: - stack overflow in the processing of DNS responses caused by improper bounds checking of external input. - stack overflow in the processing of NetBIOS Name Service responses that can result in a memory overwrite. - potential heap corruption problem caused by improper bounds checking in the processing of NetBIOS Name Service responses. - potential Denial of Service condition caused by improper handling of DNS response packets. SOFTWARE: Consumer: Symantec Norton Internet Security and Professional 2002, 2003, 2004 Symantec Norton Personal Firewall 2002, 2003, 2004 Symantec Norton AntiSpam 2004 Corporate: Symantec Client Firewall 5.01, 5.1.1 Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) DAMAGE: Remote KERNEL-level access could potentially be gained and arbitrary code could be executed. SOLUTION: By using Symantec's LiveUpdate, apply their fixes. ______________________________________________________________________________ VULNERABILITY The risk is HIGH because a remote attacker could gain ASSESSMENT: root-access. However, if your organization runs the automated Symantec LiveUpdate program, your systems are most likely already protected. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-141.shtml ORIGINAL BULLETIN: http://securityresponse.symantec.com/avcenter/security/ Content/2004.05.12.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0444 CAN-2004-0445 ______________________________________________________________________________ [***** Start Symantec SYM04-008 *****] SYM04-008 May 12, 2004 Symantec Client Firewall Remote Access and Denial of Service Issues Revision History None Risk Impact High Overview eEye Digital Security notified Symantec Corporation of four vulnerability issues they discovered in the Symantec Client Firewall products for Windows. By properly exploiting these issues, an attacker could render the targeted system inoperable or execute remote code with kernel-level privileges on the targeted system. Affected Components Consumer: Symantec Norton Internet Security and Professional 2002, 2003, 2004 Symantec Norton Personal Firewall 2002, 2003, 2004 Symantec Norton AntiSpam 2004 Corporate: Symantec Client Firewall 5.01, 5.1.1 Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) Details eEye Digital Security notified Symantec of four vulnerabilities they discovered during product testing on versions of Symantec's client firewall application. eEye Digital Security found three instances where remote KERNEL-level access could potentially be gained. Additionally, they reported a denial of service (DoS) issue that requires a system reboot to regain system utilization. All issues occur within routines in the SYMDNS.SYS component. The first issue is a stack overflow in the processing of DNS responses caused by improper bounds checking of external input. Successful exploitation of this issue could result in remote code execution on the targeted system with kernel-level privileges. The second issue is a stack overflow in the processing of NetBIOS Name Service responses that can result in a memory overwrite. If an attacker could successfully create the conditions required to manipulate this vulnerability they could potentially execute arbitrary code with kernel-level privileges. The third remote execution issue is a potential heap corruption problem caused by improper bounds checking in the processing of NetBIOS Name Service responses. If an attacker were to successfully exploit this condition, they could possibly execute arbitrary code on the targeted system with kernel-level privileges. The forth issue is a potential DoS condition caused by improper handling of DNS response packets. Maliciously configured DNS responses can cause the targeted system to halt requiring a system reboot to clear the condition and regain system access. Symantec Response Symantec confirmed the vulnerabilities exist in the consumer and corporate Symantec Client Firewall applications as well as in Symantec's Norton AntiSpam 2004 application. Symantec product engineers have developed fixes for the issues and released patches for all impacted products through Symantec LiveUpdate and technical support channels. Clients running consumer versions of the affected products who regularly run a manual Symantec LiveUpdate should already be protected against this issue. However, to be sure they are fully protected, customers should manually run Symantec LiveUpdate to ensure all available updates are installed. - Open any installed Symantec product - Click on LiveUpdate in the toolbar - Run LiveUpdate until Symantec LiveUpdate indicated that all installed Symantec products are up-to-date - Depending on the application, system may require a reboot to effectively update available fixes. Clients running the corporate versions of Symantec Client Firewall or Symantec Client Security should download and apply patches obtained through their appropriate support channels. Symantec is not aware of any active attempts against or customer impact from this issue. CVE The Common Vulnerabilities and Exposures (CVE) initiative has assigned Candidate names to these issues. Issues one, two and three are assigned under CVE Candidate Name, CAN-2004-0444. The fourth issue, the Denial of Service in handling of DNS response packets, is assigned CVE Candidate Name, CAN 2004-0445. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credit Symantec appreciates the cooperation of the eEye Digital Security research team in identifying this issue. Symantec Product Security Contact Information Symantec takes the security and proper functionality of its products very seriously. As founding members in the Organization for Internet Safety, Symantec follows the process of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact secure@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be obtained here. Copyright (c) 2004 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. Last modified on: Friday, 14-May-04 10:12:46 [***** End Symantec SYM04-008 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Symantec Corp. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-131: AIX Symlink and Buffer Overflow Vulnerabilities in LVM Commands O-132: BEA WebLogic Server and Express Certificate Spoofing Vulnerability O-133: Red Hat utempter Package Vulnerability O-134: Debian rsync O-135: Apple QuickTime Integer Overflow O-136: HP Web JetAdmin Vulnerabilities O-137: SGI IRIX Networking Security Vulnerabilities O-138: Mac OS X Jaguar and Panther Security Vulnerabilities O-139: Apple Mac OS X AppleFileServer Authentication Vulnerability O-140: Microsoft HCP Protocol URL Validation Vulnerability