The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Symantec AV

computer vulnerability alert CVE-2016-2208

Symantec AVE: memory corruption via PE Header

Synthesis of the vulnerability

An attacker can generate a memory corruption via a PE Header on Symantec AVE, in order to trigger a denial of service, and possibly to run code with system privileges.
Impacted products: Norton Antivirus, Norton Internet Security, Norton Security, Symantec AV, SEP.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service.
Provenance: document.
Creation date: 17/05/2016.
Identifiers: 820, BID-90653, CVE-2016-2208, SYM16-008, VIGILANCE-VUL-19636.

Description of the vulnerability

The Symantec AVE engine analyzes executable in PE format.

However, a malformed PE header corrupts the memory of a kernel driver.

An attacker can therefore generate a memory corruption via a PE Header on Symantec AVE, in order to trigger a denial of service, and possibly to run code with system privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-1421 CVE-2012-1425 CVE-2012-1443

Symantec Antivirus: bypassing via CAB, CHM, ELF, EXE, Office, RAR, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by Symantec Antivirus.
Impacted products: Norton Antivirus, Symantec AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 9.
Creation date: 21/03/2012.
Identifiers: BID-52575, BID-52580, BID-52600, BID-52608, BID-52610, BID-52612, BID-52613, BID-52623, BID-52626, CVE-2012-1421, CVE-2012-1425, CVE-2012-1443, CVE-2012-1446, CVE-2012-1456, CVE-2012-1457, CVE-2012-1459, CVE-2012-1461, CVE-2012-1462, VIGILANCE-VUL-11472.

Description of the vulnerability

Tools extracting archives (TAR, ZIP, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF) which are slightly malformed. However, Symantec Antivirus does not detect viruses contained in these archives/programs.

A TAR archive containing "MSCF" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52575, CVE-2012-1421]

A TAR archive containing "\50\4B\03\04" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52580, CVE-2012-1425]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

An ELF program containing a large "encoding" field bypasses the detection. [severity:2/4; BID-52600, CVE-2012-1446]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A TAR archive with a large size bypasses the detection. [severity:1/4; BID-52610, CVE-2012-1457]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

A ZIP archive starting by 1024 random bytes bypasses the detection. [severity:1/4; BID-52613, CVE-2012-1462]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2010-0110 CVE-2010-0111

Symantec AntiVirus: vulnerabilities of Intel Alert

Synthesis of the vulnerability

Several vulnerabilities of Intel Alert Management System can be used by a remote attacker, in order to create a denial of service or to execute code.
Impacted products: Symantec AV.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 27/01/2011.
Identifiers: BID-45935, BID-45936, CVE-2010-0110, CVE-2010-0111, FSC20100727-01, FSC20101213-06, SYM11-002, SYM11-003, VIGILANCE-VUL-10309, ZDI-11-028, ZDI-11-029, ZDI-11-030, ZDI-11-031, ZDI-11-032.

Description of the vulnerability

The Symantec Antivirus product version 10 and inferior installs the Intel Alert Management System (AMS2) service, which is disabled by default, and which listens on 38292/tcp. It is impacted by several vulnerabilities.

An attacker can send malicious messages to AMS2, in order to create buffer overflows, leading to code execution. [severity:3/4; BID-45936, CVE-2010-0110, FSC20100727-01, SYM11-002, ZDI-11-028]

An attacker can send malicious messages to AMS2, in order to start a program, to send emails, or to stop the service. [severity:2/4; BID-45935, CVE-2010-0111, FSC20101213-06, SYM11-003, ZDI-11-029, ZDI-11-030, ZDI-11-031, ZDI-11-032]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-3268

Symantec AV: denial of service via Intel Alert Handler

Synthesis of the vulnerability

An attacker can send a malicious query to the Intel Alert Handler service, in order to stop it.
Impacted products: Symantec AV.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 14/12/2010.
Identifiers: BID-45368, CORE-2010-0728, CVE-2010-3268, VIGILANCE-VUL-10197.

Description of the vulnerability

The Symantec Antivirus product version 10 and inferior installs the Intel Alert Handler (hndlrsvc.exe) service, which is disabled by default.

The CommandLine parameter of AMS (Intel Alert Management System) queries is processed by the GetStringAMSHandler() function of prgxhndl.dll, which calls AMSGetPastParamList() of AMSLIB.dll. However, if the query is malformed, the AMSGetPastParamList() function tries to read an invalid memory address, which stops the service.

An attacker can therefore send a malicious query to the Intel Alert Handler service, in order to stop it.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 9791

Symantec Antivirus: command execution via AMS2

Synthesis of the vulnerability

An attacker can connect to the AMS2 service installed by Symantec products, in order to execute a command on the computer.
Impacted products: Symantec AV.
Severity: 3/4.
Consequences: administrator access/rights.
Provenance: intranet client.
Creation date: 27/07/2010.
Identifiers: BID-41959, foofus-20100726, VIGILANCE-VUL-9791.

Description of the vulnerability

The Intel Alert Handler service (hndlrsvc.exe) provides an alert handler. The AMS2 (Alert Management System) service is installed by Symantec, and uses the Intel Alert Handler service. The Symantec Antivirus and Symantec System Center products use the Msgsys component of AMS2.

The Msgsys component listens on ports 38292/tcp and 38037/udp. This component can receive msdos commands which are executed with SYSTEM privileges. However, no authentication is required.

An attacker can therefore connect to the AMS2 service installed by Symantec products, in order to execute a command on the computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-5151 CVE-2010-5152 CVE-2010-5154

Antivirus: bypassing SSDT Hooking

Synthesis of the vulnerability

When an antivirus redirects the SSDT to detect viruses, a local attacker can use an atomicity error, in order to bypass this protection.
Impacted products: Avast AV, CA Antivirus, F-Secure AV, AVG AntiVirus, Kaspersky AV, VirusScan, Norton Antivirus, Norton Internet Security, Panda AV, Panda Internet Security, Symantec AV.
Severity: 2/4.
Consequences: administrator access/rights, data flow.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 13.
Creation date: 10/05/2010.
Revision date: 11/05/2010.
Identifiers: CVE-2010-5151, CVE-2010-5152, CVE-2010-5154, CVE-2010-5156, CVE-2010-5161, CVE-2010-5163, CVE-2010-5166, CVE-2010-5167, CVE-2010-5168, CVE-2010-5171, CVE-2010-5172, CVE-2010-5177, CVE-2010-5179, VIGILANCE-VUL-9633.

Description of the vulnerability

The SSDT table (System Service Descriptor Table) contains references of system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

Antiviruses redirect entries of this table to verification functions. Several implementations check parameters, and then call the origin system call. However, between these two operations, a local attacker can change parameters of the system call. A attacker can therefore create a program using legitimate parameters, and then change them just before the system call.

When an antivirus redirects the SSDT to detect viruses, a local attacker can therefore use an atomicity error, in order to bypass this protection.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-0106 CVE-2010-0107 CVE-2010-0108

Symantec AV, Norton AV: several vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities of Symantec and Norton products can be used by an attacker to disable the antivirus or to execute code.
Impacted products: Norton Antivirus, Norton Internet Security, Symantec AV.
Severity: 2/4.
Consequences: user access/rights, data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/02/2010.
Identifiers: BID-38127, BID-38129, BID-38222, CERTA-2010-AVI-087, CVE-2010-0106, CVE-2010-0107, CVE-2010-0108, DSECRG-09-039, SYM10-002, SYM10-003, SYM10-004, VIGILANCE-VUL-9462.

Description of the vulnerability

Three vulnerabilities were announced in Symantec and Norton products.

A local attacker can disable the Symantec AntiVirus on-demand scan. [severity:2/4; BID-38127, CERTA-2010-AVI-087, CVE-2010-0106, SYM10-002]

An attacker can generate a buffer overflow in the SYMLTCOM.DLL ActiveX of Norton AV/IS, in order to execute code when the victim browses a malicious web site. [severity:2/4; BID-38129, CVE-2010-0107, SYM10-003]

An attacker can generate a buffer overflow in Symantec Client Proxy (CLIproxy.dll). [severity:1/4; BID-38222, CVE-2010-0108, DSECRG-09-039, SYM10-004]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2009-1348

F-Secure, McAfee, Symantec: bypassing via PDF

Synthesis of the vulnerability

An attacker can create a malicious PDF document which is not detected by F-Secure, McAfee and Symantec products.
Impacted products: F-Secure AV, GroupShield, McAfee Security for Email Servers, VirusScan, Norton Antivirus, Norton Internet Security, Symantec AV.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 28/10/2009.
Identifiers: BID-36848, BID-36876, CERTA-2009-AVI-172, CVE-2009-1348, FSC-2009-3, G-SEC 47-2009, G-SEC 48-2009, G-SEC 49-2009, SB10003, VIGILANCE-VUL-9133.

Description of the vulnerability

A PDF document can be especially constructed to be read by Adobe Reader, but to be unrecognized by an antivirus software. An attacker can create such a document, and thus bypass products of three editors.

A malicious PDF document is not detected by Symantec and Norton products. [severity:2/4; G-SEC 47-2009]

A malicious PDF document is not detected by F-Secure products. [severity:2/4; BID-36876, FSC-2009-3, G-SEC 48-2009]

A malicious PDF document is not detected by McAfee products. A malicious TAR archive is also not detected by McAfee products. [severity:2/4; BID-36848, CERTA-2009-AVI-172, CVE-2009-1348, G-SEC 49-2009, SB10003]

An attacker can therefore create a malicious PDF document which is not detected by F-Secure, McAfee and Symantec products.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-3104

Symantec, Norton AV: denial of service

Synthesis of the vulnerability

An attacker can send a malicious email, in order to prevent the victim from reading his other emails.
Impacted products: Norton Antivirus, Norton Internet Security, Symantec AV.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 28/08/2009.
Identifiers: BID-34670, CVE-2009-3104, SYM09-012, VIGILANCE-VUL-8982.

Description of the vulnerability

The Norton AntiVirus, Norton Internet Security, Symantec AntiVirus Corporate Edition and Symantec Client Security products use the Internet Email Scanning feature to scan emails when they are downloaded from the mail server.

However, a malicious email generates an infinite loop in the analysis engine, and interrupts the session with the mail server. The victim then cannot download his emails.

An attacker can therefore send a malicious email, in order to prevent the victim from reading his other emails.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 8797

Symantec Antivirus: bypassing via RAR TAR ZIP

Synthesis of the vulnerability

An attacker can create a RAR/TAR/ZIP archive containing a virus which is not detected by Symantec.
Impacted products: Norton Antivirus, Norton Internet Security, Symantec AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 15/06/2009.
Identifiers: BID-35354, SYM09-009, VIGILANCE-VUL-8797.

Description of the vulnerability

Symantec products detect viruses contained in RAR/TAR/ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Untar/Unzip tools, but which cannot be opened by the antivirus.

An attacker can therefore create a RAR/TAR/ZIP archive containing a virus which is not detected by Symantec products.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.