=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN781
_____________________________________________________________________

DATE                      : 23/12/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Pluspart des antivirus Symantec et norton

======================================================================

SYM05-027
December 21, 2005
Symantec AntiVirus Decomposition Buffer Overflow

Revision History : None

Risk Impact : High

Remote Access : Yes
Local Access : No
Authentication Required : No
Exploit publicly available : No

Overview

Symantec has become aware of a buffer overflow in its AntiVirus component used
to decompose RAR (Roshal Archive), via a public posting by Alex Wheeler. A
specially crafted RAR file could potentially cause this buffer overflow to
occur and execute hostile content from the RAR file.

Vulnerable Products : (vulnerable builds/Maintenance Releases (MR) where indicated)

Enterprise Products				

Product						Version

Norton AntiVirus for Microsoft Exchange		2.18
Symantec Mail Security for Microsoft Exchange	4.0; 4.5; 4.6.3; 5.0
Symantec AntiVirus/Filtering for Domino NT	3.1
Symantec Mail Security for Domino NT		4.0; 4.1.4; 5.0
Symantec AntiVirus/Filtering for Domino (AIX, Linux, Solaris)	3.0.11
Symantec Scan Engine				5.0
Symantec AntiVirus Scan Engine			4.1.8; 4.3.12
Symantec AntiVirus for MS ISA			4.3.12
Symantec AntiVirus for MS Sharepoint		4.3.12
Symantec AntiVirus for Messaging		4.3.12
Symantec AntiVirus for NAS			4.3.12
Symantec AntiVirus Scan Engine for NetApp Filer	4.0; 4.3
Symantec AntiVirus Scan Engine for NetApp NetCache	4.0; 4.3
Symantec AntiVirus Scan Engine for Bluecoat	4.0; 4.3
Symantec AntiVirus for Clearswift		4.3.12
Symantec AntiVirus Scan Engine for Caching	4.3.12
Symantec AntiVirus for SMTP			3.1; 4.1.9
Symantec Client Security			3.X
Symantec Web Security				3.0.1
Symantec Gateway Security 5000 Series		3.0
Symantec Gateway Security 5400 Series		2.0
Symantec Gateway Security			1.0
Symantec Norton Antivirus for Macintosh Corporate Edition	9.0
Symantec BrightMail AntiSpam			4.0; 5.5; 6.0
Symantec AntiVirus Corporate Edition		10.X
Symantec AntiVirus for HandHelds - Corporate Edition	
Symantec Client Security for Nokia
Symantec AntiVirus for Macintosh 		10.X

Consumer Products
Norton AntiVirus				2006; 2005; 2004
Norton Internet Security Professional		2006; 2005; 2004
Norton SystemWorks				2006; 2005; 2004
Norton Personal Firewall			2006; 2005; 2004
Norton AntiVirus for Macintosh			10.X
Norton AntiVirus for Macintosh			9.X
Norton Internet Security for Macintosh		3.X
Norton SystemWorks for Macintosh		3.X
Symantec AntiVirus for Handhelds		All

Products Not Affected:
Symantec Antivirus Corporate Edition		9.X - all versions; 8.X - all versions
Symantec Client Security			2.X; 1.X
Symantec Enterprise Firewall			8.0
Symantec Clientless VPN Gateway 4400 Series	5.0
Symantec Firewall / VPN Appliance		100/200
Symantec Gateway Security 300/400 Series	2.0
Norton AntiVirus for Macintosh			7.X
Norton AntiVirus for Macintosh			8.X
Norton Internet Security for Macintosh		2.X

Note:

    1. As Symantec continues to investigate this issue, the list of
affected products may be updated.
    2. As more information and product updates become available, this
advisory will be updated to include a link to applicable downloads.
    3. Only currently supported Symantec Products will be updated.
Customers using unsupported versions are encouraged to upgrade
to a supported version.

Symantec Response
Symantec is currently working to create and distribute product
updates for all affected products.

To date, Symantec has not had any reports of related exploits
of this vulnerability.

Mitigations
Symantec Security Response posted an antivirus based protection signature
to LiveUpdate on December 20, 2005, providing a heuristic detection for
potential exploits of the Symantec decomposer RAR archive vulnerability.
This signature is available though LiveUpdate, to all desktop, server and
gateway product versions of Symantec's Security products and appliance
solutions that contain the decomposer RAR archive. Symantec strongly
recommends that customers immediately ensure their products are up-to-date
to protect against possible threats.

Customers may also mitigate the risk to the antivirus component by disabling
scanning of RAR compressed files until the vulnerable code is fixed. However,
it is important to note that disabling RAR scanning may allow RAR files
containing viruses through the security gateway.

Instructions to disable scanning of RAR compressed files:

Symantec Gateway Security 5000 Series v3.0:
   Connect to the Symantec Gateway Security 5000 Series v3.0 SGMI
   In the left panel select Antivirus
   In the right panel, under Configuration, under the File Scanning, click ADD
   Enter without quotes ".rar"
Repeat for each of the 4 services: SMTP, POP3, HTTP, FTP
   Apply and Activate changes


In addition, customers can filter RAR files through email via SMTP and POP3,
under the "Mail Attachment Restrictions" tab. Add *.rar to the Files list
and select whether to remove the attachment (default) or block the entire
message. Apply and Activate changes.

Symantec Gateway Security 5400 Series v2.0.1
   Connect to the Symantec Gateway Security 5400 Series v2.0.1
   Go to Location Settings -> Advanced -> Proxies
   Highlight a proxy (such as HTTP) and click Properties
   Select the Antivirus Scanning Tab
   Scroll to the bottom to the Exclude List
   Enter without quotes ".rar" in the File field and click add.
   Repeat for all three services: SMTP, HTTP, FTP
   Apply and Activate changes


In addition, customers can filter RAR files through email via SMTP, under
Policy -> Antivirus -> Mail Options -> Attachment names tab. Enter *.rar for the
file name, select whether to remove the attachment or block the entire message,
then click add. Apply and Activate changes.

Symantec Gateway Security 1.0
   Connect to the Symantec Gateway Security 1.0 via the SRMC.
   Select Access Controls -> Proxy Services
   Select a proxy (such as HTTP) and double click for the properties
   Under Antivirus Scanning tab add .rar to the exclude list
   Repeat for all three services: (SMTP, HTTP, FTP)
   Save and reconfigure


To Disable Compression Scanning in Auto-Protect for Norton AntiVirus 9 and Norton AntiVirus 10:

    1. Open the System Preferences
    2. Select the Norton Auto-Protect preference pane
    3. Set 'Scan Compressed Files' to 'Off'
    4. Close the System Preferences

This will disable the use of the Decomposer Engine when Auto-Protect is scanning files.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE-2005-4438 to this issue.

Symantec takes the security and proper functionality of its products very seriously.
As founding members of the Organization for Internet Safety (OISafety), Symantec
follows the principles of responsible disclosure. Symantec also subscribes to the
vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a potential or
actual security issue with a Symantec product. A Symantec Product Security team
member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document outlining
the process we follow in addressing suspected vulnerabilities in our products. We
support responsible disclosure of all vulnerability information in a timely manner
to protect Symantec customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided below.

Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can be
obtained from the location provided below.
Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy 	
Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability
Management PGP Key

Copyright (c) 2005 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is
not edited in any way unless authorized by Symantec Security Response. Reprinting
the whole or part of this alert in any medium other than electronically
requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes acceptance
for use in an AS IS condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered
trademarks of Symantec Corp. and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks represented in this document
are the sole property of their respective companies/owners.

Initial Post on: Wednesday, 21-Dec-05 22:00:00
Last modified on: Thursday, 22-Dec-05 16:38:11

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================