The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SWS

vulnerability note CVE-2016-5309 CVE-2016-5310

Symantec Endpoint Protection, Mail Security, Web Gateway, Web Security: two vulnerabilities via RAR archives

Synthesis of the vulnerability

An attacker can use several vulnerabilities via the RAR archives analyser of Symantec Endpoint Protection, Mail Security, Web Gateway, Web Security.
Impacted products: SEP, Symantec Mail Security, Symantec Web Gateway, SWS.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/09/2016.
Revision date: 21/09/2016.
Identifiers: CVE-2016-5309, CVE-2016-5310, VIGILANCE-VUL-20654.

Description of the vulnerability

Several vulnerabilities were announced in Symantec Endpoint Protection, Mail Security, Web Gateway, Web Security.

An attacker can generate a memory corruption in the RAR analyser, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-5310]

An attacker can generate a read only buffer overflow n the RAR archive analyser, in order to trigger a denial of service. [severity:2/4; CVE-2016-5309]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-2207 CVE-2016-2209 CVE-2016-2210

Symantec: seven vulnerabilities of the "Decomposer" module

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Symantec products.
Impacted products: Norton Antivirus, Norton Internet Security, Norton Security, SEP, Symantec Mail Security, Symantec Web Gateway, SWS.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 29/06/2016.
Revision date: 29/06/2016.
Identifiers: 810, 814, 816, 818, 819, 821, 823, CERTFR-2016-AVI-222, CVE-2016-2207, CVE-2016-2209, CVE-2016-2210, CVE-2016-2211, CVE-2016-3644, CVE-2016-3645, CVE-2016-3646, VIGILANCE-VUL-19997.

Description of the vulnerability

Several vulnerabilities were announced in Symantec Endpoint Protection.

An attacker can generate a buffer overflow via a substream of MS-Office file, in order to trigger a denial of service, and possibly to run code. [severity:4/4; 823, CVE-2016-2209]

An attacker can force a read at an invalid address via ALPkOldFormatDecompressor::UnShrink, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 821, CVE-2016-3646]

An attacker can generate an integer overflow via Attachment::setDataFromAttachment, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 819, CVE-2016-3645]

An attacker can generate a buffer overflow via CMIMEParser::UpdateHeader, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 818, CVE-2016-3644]

An attacker can generate a memory corruption via a MSPACK archive, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 816, CVE-2016-2211]

An attacker can generate a buffer overflow via CSymLHA::get_header, in order to trigger a denial of service, and possibly to run code. [severity:4/4; 814, CVE-2016-2210]

An attacker can generate a memory corruption via a RAR archive, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 810, CVE-2016-2207]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-0447 CVE-2007-3699

Symantec AV, SGS, WS, Norton AV, IS, PF: vulnerabilities of RAR and CAB

Synthesis of the vulnerability

Two vulnerabilities of Symantec and Norton products lead to a denial of service or to code execution.
Impacted products: Norton Antivirus, Norton Internet Security, Raptor Firewall, Symantec AV, SEF, SGS, SWS.
Severity: 3/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/07/2007.
Revision date: 13/07/2007.
Identifiers: BID-24282, CVE-2007-0447, CVE-2007-3699, CVE-2007-3801-REJECT, SYM07-019, VIGILANCE-VUL-7004, ZDI-07-039, ZDI-07-040.

Description of the vulnerability

Two vulnerabilities of Symantec and Norton products are related to RAR or CAB files analysis.

An attacker can modify the PACK_SIZE field of RAR file header in order to create an infinite loop when file is parsed. [severity:3/4; CVE-2007-3699, CVE-2007-3801-REJECT, ZDI-07-039]

A malicious CAB archive can create an overflow leading to code execution. [severity:3/4; CVE-2007-0447, ZDI-07-040]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 6498

Symantec Web Security: Cross Site Scripting and denial of service

Synthesis of the vulnerability

An attacker can exploit two vulnerabilities of Symantec Web Security.
Impacted products: SWS.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/01/2007.
Identifiers: BID-22184, SYM07-001, VIGILANCE-VUL-6498.

Description of the vulnerability

An attacker can exploit two vulnerabilities of Symantec Web Security.

Error pages and those indicating a blocked site do not correctly check data they display. An attacker can thus generate a Cross Site Scripting attack in the web management console. [severity:2/4]

An attacker can send a big file to the license registering interface, in order to slow down the service during the analysis of these data. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-3454

Symantec AV: format string attack

Synthesis of the vulnerability

An attacker can use the customizing of alert notification message to run code on the machine or generate a denial of service.
Impacted products: Symantec AV, SWS.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user shell.
Creation date: 14/09/2006.
Identifiers: CERTA-2006-AVI-394, CVE-2006-3454, SYM06-017, VIGILANCE-VUL-6158.

Description of the vulnerability

The Symantec antivirus software permits the user to customize the alert notification message when a virus is detected.

Two format string attacks have been identified in the customizing of alert notification:
  - the input parameters are not correctly checked, which permits to generate a format string attack during the customizing of the message,
  - the contain of the message is not correctly sanitized, and can lead to a denial of service via a format string attack when e malicious file is detected.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-4438

Symantec: overflows with RAR archives

Synthesis of the vulnerability

An attacker can generate three overflows in Symantec Antivirus Library using RAR archives.
Impacted products: Norton Antivirus, SWS.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 20/12/2005.
Revision date: 22/12/2005.
Identifiers: 2005.12.21, BID-15971, CERTA-2006-AVI-007, CVE-2005-4438, SYM05-027, VIGILANCE-VUL-5442, VU#305272.

Description of the vulnerability

The Symantec Antivirus Library library is used by several Symantec products.

The dec2rar.dll DLL does not check data size coming from RAR archives before copying them in arrays. A RAR archive can thus lead to three array overflows.

An attacker can therefore create a malicious archive leading to code execution in the software.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2005-1346

Symantec AntiVirus : non détection d'archives RAR

Synthesis of the vulnerability

Un virus situé dans une archive RAR illicite n'est pas détecté par plusieurs produits de la gamme Symantec AntiVirus.
Impacted products: Norton Antivirus, Norton Internet Security, SWS.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 28/04/2005.
Identifiers: 2005.04.27, BID-13416, CVE-2005-1346, V6-SYMANTECAVRARBYPASS, VIGILANCE-VUL-4936.

Description of the vulnerability

Les archives RAR sont compressées et possèdent l'extension ".rar".

Lorsque Symantec AntiVirus décompresse une archive illicite, une erreur se produit et stoppe l'ouverture de l'archive. Les éventuels virus qu'elle contiendrait ne sont pas détectés.

Un attaquant peut donc employer cette vulnérabilité pour faire transiter un virus. On peut noter que ce virus sera détecté lors de l'extraction de l'archive sur le poste de l'utilisateur, par son antivirus local.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2005-0249

Symantec : buffer overflow lors de l'analyse de fichier UPX

Synthesis of the vulnerability

Un attaquant distant peut créer un fichier UPX illicite, provoquant un buffer overflow dans les antivirus Symantec.
Impacted products: Norton Antivirus, Norton Internet Security, SWS.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 09/02/2005.
Identifiers: 187, 2005.02.08, BID-12492, CVE-2005-0249, V6-SYMANTECAVUPXBOF, VIGILANCE-VUL-4738, VU#107822.

Description of the vulnerability

Le format UPX (Ultimate Packer for eXecutables) permet de compresser un programme et de le décompresser avant son exécution.

La bibliothèque antivirus de Symantec est employée dans tous les produits analysant des flux.

Cette bibliothèque ne vérifie pas la valeur d'un offset indiquée dans le format UPX. Ainsi, lors de l'ouverture d'un fichier UPX indiquant un offset négatif, une zone mémoire est écrasée. Du code s'exécute alors avec les droits de l'application.

Un attaquant peut par exemple envoyer un email contenant un fichier UPX illicite, afin de faire exécuter du code sur la machine des utilisateurs.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 2297

Déni de service par des fichiers compressés

Synthesis of the vulnerability

En envoyant des fichiers compressés au serveur de messagerie, l'attaquant distant peut mener un déni de service sur l'antivirus.
Impacted products: F-PROT AV, Kaspersky AV, VirusScan, Norton Antivirus, Sophos AV, SWS, InterScan VirusWall.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet server.
Creation date: 26/02/2002.
Revisions dates: 27/02/2002, 12/01/2004, 09/02/2004, 28/06/2004.
Identifiers: BID-10537, BID-9393, V6-ANTIVIRUSMAILBIGFILEDOS, VIGILANCE-VUL-2297.

Description of the vulnerability

Dans la plupart des architectures sécurisées, un antivirus est associé au serveur de messagerie. Celui-ci scanne le contenu des e-mails reçus et envoyés. Les fichiers compressés (zip, rar, tar.gz, tgz, bz2, etc.) suivent un chemin particulier:
 - ils sont décompressés dans une zone de quarantaine,
 - leur contenu est vérifié,
Si aucun virus n'est détecté, l'antivirus valide le fichier et traite l'email suivant.

Cependant, une erreur de conception a été découverte sur la plupart des antivirus. En effet, lorsqu'ils décompressent des fichiers compressés, aucune vérification de la taille des fichiers n'est effectuée.

Ainsi, un attaquant distant peut :
 - créer un fichier volumineux contenant des données fortement compressibles (1 pour 1000),
 - compresser ce fichier,
 - envoyer ce fichier par e-mail.
Lorsque le serveur reçoit l'email, l'antivirus utilise une partie des ressources CPU pour le décompresser, ainsi qu'une quantité importante d'espace disque.

L'attaquant peut donc mener un déni de service à deux niveaux sur le serveur associé à l'antivirus: utilisation importante du CPU et de l'espace disque.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 3961

Cross Site Scripting de Symantec Web Security

Synthesis of the vulnerability

Lorsqu'une page web est bloquée, une attaque par Cross Site Scripting peut se produire dans Symantec Web Security.
Impacted products: SWS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/01/2004.
Identifiers: BID-9418, V6-SYMANTECWSBLOCKXSS, VIGILANCE-VUL-3961.

Description of the vulnerability

Le produit Symantec Web Security peut bloquer certaines pages illicites.

Un attaquant peut inclure un script illicite dans une url. Il s'exécutera par Cross Site Scripting dans le contexte de la page bloquée.

Cette vulnérabilité pourrait par exemple permettre d'obtenir les cookies de l'utilisateur, pour le site concerné.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.