Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
TitleSymantec and Norton Security Products Contain Critical Vulnerabilities
Informations
NameTA16-187AFirst vendor Publication2016-07-05
VendorUS-CERTLast vendor Modification2016-07-05
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.

Description

The vulnerabilities are listed below:

CVE-2016-2207

*

Symantec Antivirus multiple remote memory corruption unpacking RAR [1 [ https://bugs.chromium.org/p/project-zero/issues/detail?id=810 ]]

CVE-2016-2208

* Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction. [2 [ http://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html ]]

CVE-2016-2209┬

* Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3 [ https://bugs.chromium.org/p/project-zero/issues/detail?id=823 ]]

CVE-2016-2210

* Symantec: Remote Stack Buffer Overflow in dec2lha library [4 [ https://bugs.chromium.org/p/project-zero/issues/detail?id=814 ]]┬ ┬ ┬ ┬ ┬ ┬ ┬ ┬ ┬

CVE-2016-2211

* Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives [5 [ https://bugs.chromium.org/p/project-zero/issues/detail?id=816 ]]

CVE-2016-3644

* Symantec: Heap overflow modifying MIME messages [6 [ https://bugs.chromium.org/p/project-zero/issues/detail?id=818 ]]┬ ┬ ┬ ┬ ┬ ┬

CVE-2016-3645

* Symantec: Integer Overflow in TNEF decoder [7 [ https://bugs.chromium.org/p/project-zero/issues/detail?id=819 ]]┬ ┬ ┬ ┬ ┬ ┬ ┬

CVE-2016 -3646

* Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink [8 [ https://bugs.chromium.org/p/project-zero/issues/detail?id=821 ]]

Impact

The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event.

Solution

Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9 [ https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2016&suid=20160516_00 ]] and SYM16-010 [10 [ https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00 ]] security advisories.

US-CERT encourages users and network administrators to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.

Original Source

Url : http://www.us-cert.gov/ncas/alerts/TA16-187A

CWE : Common Weakness Enumeration

%idName
43 %CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
29 %CWE-20Improper Input Validation
14 %CWE-399Resource Management Errors
14 %CWE-189Numeric Errors (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application2
Application1
Application1
Application6
Application45
Application3
Application11
Application1
Application2
Application1
Application1
Application1
Application1
Application1
Application1
Application3
Application1
Application7
Application9

Snort® IPS/IDS

DateDescription
2016-08-02Symantec TNEF decoder integer overflow attempt
RuleID : 39432 - Revision : 2 - Type : FILE-OTHER
2016-08-02Symantec TNEF decoder integer overflow attempt
RuleID : 39431 - Revision : 2 - Type : FILE-OTHER
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39428 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39427 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39426 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39425 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39424 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39423 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39422 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39421 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39420 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39419 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39418 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt
RuleID : 39417 - Revision : 2 - Type : FILE-OFFICE
2016-08-02Symantec Decomposer Engine Dec2LHA buffer overflow attempt
RuleID : 39401 - Revision : 2 - Type : SERVER-WEBAPP
2016-08-02Symantec Decomposer Engine Dec2LHA buffer overflow attempt
RuleID : 39400 - Revision : 2 - Type : SERVER-WEBAPP
2016-08-02Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
RuleID : 39386 - Revision : 2 - Type : FILE-OTHER
2016-08-02Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
RuleID : 39385 - Revision : 2 - Type : FILE-OTHER
2016-08-02Symantec MIME parser updateheader heap buffer overflow attempt
RuleID : 39380 - Revision : 6 - Type : SERVER-OTHER
2016-06-30Norton Antivirus ASPack heap corruption attempt
RuleID : 39379 - Revision : 2 - Type : FILE-EXECUTABLE

Nessus® Vulnerability Scanner

DateDescription
2016-09-09Name : A security application installed on the remote host is affected by multiple v...
File : symantec_protection_sharepoint_servers_sym16_010.nasl - Type : ACT_GATHER_INFO
2016-09-07Name : A security application installed on the remote host is affected by multiple v...
File : symantec_protection_engine_sym16_010.nasl - Type : ACT_GATHER_INFO
2016-09-07Name : A security application installed on the remote host is affected by multiple v...
File : symantec_protection_engine_sym16_010_nix.nasl - Type : ACT_GATHER_INFO
2016-07-12Name : A web security application hosted on the remote web server is affected by mul...
File : symantec_web_gateway_sym16-010.nasl - Type : ACT_GATHER_INFO
2016-07-01Name : The remote Windows host has software installed that is affected by multiple v...
File : symantec_sms_sym_16-010.nasl - Type : ACT_GATHER_INFO
2016-06-30Name : The version of Symantec Endpoint Protection Client installed on the remote ho...
File : symantec_endpoint_prot_client_sym16-010.nasl - Type : ACT_GATHER_INFO
2016-06-30Name : A messaging security application running on the remote host is affected by mu...
File : symantec_messaging_gateway_sym16-010.nasl - Type : ACT_GATHER_INFO
2016-05-19Name : An antivirus application installed on the remote host is affected by a remote...
File : symantec_sym_16_008.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2016-07-07 05:30:16
  • Multiple Updates
2016-07-05 21:23:14
  • First insertion