=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN285
_____________________________________________________________________

DATE                      : 29/05/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Symantec Client Security,
                                 Symantec Antivirus Corporate Edition.

======================================================================

SYM06-010
May 25, 2006
Symantec Client Security and Symantec AntiVirus Elevation of Privilege

Revision History
May 26, 2006    - Updated Products Affected section and other details
May 27, 2006    - Updated Products Affected section with update info
                 - Updated Unaffected Products section

Impact
High

Remote                     Yes
Local                      Yes
Authentication Required    No
Exploit publicly available No

Overview
A stack overflow in Symantec Client Security and Symantec AntiVirus
Corporate Edition could potentially allow a remote or local attacker to
execute code on the affected machine.

Products Affected

Product                               Version    Build    Solution
Symantec Client Security              3.1    3.1.0.394    3.1.0.396
                                       3.1    3.1.0.400    3.1.0.401
                                       3.0    3.0.2.2010   3.0.2.2011
                                       3.0    3.0.2.2020   3.0.2.2021
Symantec Antivirus Corporate Edition  10.1    10.1.0.394  3.1.0.396
                                       10.1    10.1.0.400  10.1.0.401
                                       10.0    10.0.2.2010 10.0.2.2011
                                       10.0    10.0.2.2020 10.0.2.2021

http://www.symantec.com/techsupp/enterprise/select_product_updates.html

Note: All builds listed above are English versions only. Localized builds
are pending.

Unaffected Products

Product                               Version
Norton Product line                   No products in the Norton product line are 
affected
Symantec AntiVirus Corporate Edition  8.0, 8.1, 9.0 all builds
Symantec Client Security              1.0, 1.1, 2.0, all builds

Details

Symantec was notified that Symantec Client Security and Symantec AntiVirus
Corporate Edition are susceptible to a potential stack overflow. Exploiting
this overflow successfully could potentially cause a system crash, or
allow a remote or local attacker to execute arbitrary code with System
level rights on the affected system.

Symantec Response
This advisory will be updated when product updates to address this issue
are available.

Upgrade Information
Available updates for English language versions are listed in the table
above. Localized builds for other languages are pending.

Mitigation
Symantec Security Response has released IPS signatures to detect attempts
to exploit this issue.

Symantec Network Security Appliance 7100 signatures, SU 46, are available
via LiveUpdate.

Symantec Gateway Security 3.0 signatures, SU 19, are available via
LiveUpdate.

Symantec Client Security 2.0 and 3.0 signatures, SU 22, are available
for update via LiveUpdate.

Symantec recommends customers immediately apply the latest Security
Update to protect against potential related attacks.

To help reduce the risks associated with this vulnerability Symantec
recommends the following best practices:

     * Restrict access to administration or management systems to privileged
       users only, with additional restricted access to the physical host
       system(s) if possible.
     * Keep all operating systems and applications updated with the latest
       vendor patches.
     * Follow a multi-layered approach to security. Run both firewall and
       antivirus applications, at a minimum to provide multiple points of
       detection and protection to both inbound and outbound threats.
     * Be cautious visiting unknown or untrusted websites or following
       unknown URL links.
     * Do not open attachments or executables from unknown sources or
       that you didn't request or were unaware of. Always err on the side
       of caution. Even if the sender is known, the source address may be spoofed.

Note
Symantec is not aware of any customers impacted by this vulnerability,
or of any exploits of this vulnerability.

CVE
This issue is a candidate for inclusion in the Common Vulnerabilities
and Exposures (CVE) list (http://cve.mitre.org), which standardizes names
for security problems. A CVE identifier will be requested for this issue.

Credit
Symantec would like to thank eEye Digital Security (http://www.eeye.com)
for reporting this issue, and working with us on the resolution.

Symantec takes the security and proper functionality of its products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability guidelines
outlined by the National Infrastructure Advisory Council (NIAC). Please
contact secure@symantec.com if you feel you have discovered a potential
or actual security issue with a Symantec product. A Symantec Product
Security team member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document
outlining the process we follow in addressing suspected vulnerabilities
in our products. We support responsible disclosure of all vulnerability
information in a timely manner to protect Symantec customers and the
security of the Internet as a result of vulnerability. This document is
available from the location provided below.

Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@symantec.com. The Symantec Product
Security PGP key can be obtained from the location provided below.

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long
as it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this alert in any medium other
than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity
are registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective companies/owners.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================