=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN301
_____________________________________________________________________

DATE                      : 17/07/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Symantec AntiVirus.

======================================================================
http://www.symantec.com/avcenter/security/Content/2007.07.11f.html
______________________________________________________________________

SYM07-019
July 11, 2007
Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass

Revision History
Removed invalid CVE information
Added missing product information

Risk Impact
High

Remote Access              Yes
Local Access               No
Authentication Required    No
Exploit publicly available No

Overview
Two vulnerabilities have been identified in the Symantec Decomposer
component used to decompose some types of archive content while
scanning for malicious content.

Affected Enterprise Products

Product				Version			Builds		Update To
Symantec Mail Security		8200			All		5.0.0.24
Symantec Mail Security for
Microsoft Exchange 		4.6.3 and earlier	All		4.6.8.120
				5.0.0.204		All		5.0.6.368
				6.0.0			All		6.0.0.1 or later
Symantec Mail Security for
Domino NT			4.1.4 and earlier	All		4.1.9.37
				5.0.0.47 		All 		5.1.4.32
Symantec AntiVirus/
Filtering for Domino
MPE(AIX, Linux, Solaris)	3.0.12 and earlier	All		3.2.2.27 /-
Symantec Scan Engine 		5.0.1 and earlier 	All 		5.1.4.24
Symantec AntiVirus Scan
Engine 				4.1.8 and earlier 	All 		4.3.18.43
				4.3.12 and earlier 	All 		4.3.17 or later
Symantec AntiVirus Scan
Engine for MS ISA 		4.3.12 and earlier 	All   		4.3.17 or later
Symantec AntiVirus Scan
Engine for MS Sharepoint 	4.3.12 and earlier	All 		4.3.17 or later
Symantec AntiVirus Scan
Engine for Messaging 		4.3.12 and earlier 	All		4.3.17 or later
Symantec AntiVirus for
Network Attached Storage 	4.3.12 and earlier 	All		4.3.17 or later
Symantec AntiVirus Scan
Engine for Clearswift 		4.3.12 and earlier 	All		4.3.17 or later
Symantec AntiVirus Scan
Engine for Caching 		4.3.12 and earlier 	All		4.3.17 or later
Symantec Client Security	3.0 			All 		Update to SCS 3.1
				3.X 			All 		SCS 3.1 MR6 (build 3.1.6.6000)
				2.X 			All 		SCS 2.0 MR6-MP1
									(build 2.0.6.1100)/-/-
Symantec Web Security 		3.0.1.76 and earlier 	All 		3.0.1.85
Symantec Gateway Security
5000 Series 			3.0.1 			All 		Update F or later
Symantec Gateway Security 	
5400 Series 			2.0.1 			All		Upgrade to 3.0.1
Symantec Brightmail
AntiSpam 			6.0.x 			All 		6.05
				5.5 			All		6.05
				4.x 			All		6.05
Symantec AntiVirus
Corporate Edition 		10.1 			SAV 10.1.5.5000 SAV 10.1 MR6
							and earlier	(build 10.1.6.6000)/-/-
				10.0 			All 		Upgrade to SAV 10.1 MR6
									(build 10.1.6.6000)/-/-
				9.0 			SAV 9.0.6.1000 	SAV 9.0 MR6-MP1
							and earlier 	(build 9.0.6.1100)
Symantec AntiVirus
Corperate Edition
for Linux
Symantec AntiVirus for
Macintosh 			10.X 			All 		Update to any definition after 10/1/2006
Symantec Web Security for
Microsoft ISA 2004 		5.0 			All 		5.0.3
Symantec Mail Security
for SMTP 			5.0.0 Solaris 		All 		Patch 175
				5.0.0 Linux 		All 		Patch 175
				5.0.0 Windows 		All 		Patch 176
				5.0.1 			All 		Patch 181

/- Symantec AntiVirus/Filtering for Domino MPE is no longer supported.
Customers are encouraged to upgrade to Symantec Mail Security for
Domino MPE

/-/- Customers using the SAV CE Linux client should upgrade to version
1.0.2-75. This build is available by downloading the latest SAV CE
10.X or SCS 3.X build from FileConnect."

Affected Consumer Products

Product				Version 		Builds 	Update To

Norton AntiVirus 		2006 			All 	Run LiveUpdate

in Interactive Mode
				2005 			All 	Run LiveUpdate in Interactive Mode
				2004 			All 	Run LiveUpdate in Interactive Mode


Norton Internet Security 	2006 			All 	Run LiveUpdate

in Interactive Mode
				2005.5 AntiSpyware
				Edition 		All 	Run LiveUpdate in Interactive Mode
				2005 			All 	Run LiveUpdate in Interactive Mode
				2004 			All 	Run LiveUpdate in Interactive Mode


Norton SystemWorks 		2006 			All 	Run LiveUpdate

in Interactive Mode
				2005 			All 	Run LiveUpdate in Interactive Mode
				2004 			All 	Run LiveUpdate in Interactive Mode


Norton Personal Firewall 	2006 			All 	Run LiveUpdate

in Interactive Mode

Norton AntiVirus for
Macintosh 			10.X 			All 	Update to any

definition after 10/1/2006
				9.X 			All


Norton Internet Security
for Macintosh 			3.X 			All 	Update to any

definition after 10/1/2006


Norton SystemWorks for
Macintosh 			3.X 			All 	Update to any definition after 10/1/2006


Products Not Affected:

Product                                              Version Builds
Symantec AntiVirus for HandHelds - Corporate Edition   All    All
Symantec AntiVirus for Handhelds                       All    All
Symantec Client Security for Nokia                     All    All
Symantec Enterprise Firewall                           8.0    All
Symantec Clientless VPN Gateway 4400 Series            5.0    All
Symantec Firewall / VPN Appliance                    100/200  All
Symantec Gateway Security 300/400 Series               2.0    All
Norton AntiVirus for Macintosh                         7.X    All
Norton AntiVirus for Macintosh                         8.X    All
Norton Internet Security for Macintosh                 2.X    All
Norton SystemWorks for Macintosh                       2.X    All
Norton360                                              All    All
Symantec AntiVirus Corporate Edition                  10.2    All
Norton AntiVirus                                      2007    All
Norton Internet Security                              2007    All
Norton System works                                   2007    All

Details
The first vulnerability is related to the decomposition of RAR files.
Modifying the RAR file header in a specific way, causes the decomposer
to enter an infinite loop causing a Denial of Service.

The second vulnerability is related to the decomposition of CAB files.
The Symantec Decomposer fails to perform proper bounds checks when
copying from the CAB archive. This may result in the possibility of
arbitary code execution on the vulnerable system.

NOTE:
  1. Only currently supported Symantec Products will be updated.
     Customers using unsupported versions are encouraged to upgrade to
     a supported version.

Symantec response
Symantec engineers have verified and corrected these issues in all
currently supported products. Updates are available for supported
products. Symantec recommends customers apply the latest product
update available for their supported product versions to enhance their
security posture and protect against potential security threats of
this nature.
Product updates will be available from the Symantec support site:
http://www.symantec.com/techsupp/ or via LiveUpdate when
available.
Symantec Norton product users who regularly launch and run LiveUpdate
should already have received an updated (non-vulnerable) version of
(product/component). However, to ensure all available updates have
been applied, users can manually launch and run LiveUpdate in
Interactive mode as follows:
   * Open any installed Norton product
   * Click on LiveUpdate in the GUI

To perform a manual update using Symantec LiveUpdate, users should:
   * Open any installed Symantec product
   * Click on LiveUpdate in the toolbar
   * Run LiveUpdate until all available Symantec product updates are
     downloaded and installed

To date, Symantec is not aware of any exploits for these issues.

Best Practices
As part of normal best practices, Symantec strongly recommends:
   * Restrict access to administration or management systems to
     privileged users.
   * Restrict remote access, if required, to trusted/authorized systems
     only.
   * Run under the principle of least privilege where possible to limit
     the impact of exploit by threats such as this.
   * Keep all operating systems and applications updated with the
     latest vendor patches.
   * Follow a multi-layered approach to security. Run both firewall and
     antivirus applications, at a minimum, to provide multiple points
     of detection and protection to both inbound and outbound threats.
   * Deploy network intrusion detection systems to monitor network
     traffic for signs of anomalous or suspicious activity. This may
     aid in detection of attacks or malicious activity related to
     exploitation of latent vulnerabilities

Credit
Symantec would like to thank 3COM, and the Zero Day Initiative for
reporting these issues and providing full coordination while Symantec
resolved them.
      ___________________________________________________________

Symantec takes the security and proper functionality of its products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability guidelines
outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered
a potential or actual security issue with a Symantec product. A
Symantec Product Security team member will contact you regarding your
submission.

Symantec has developed a Product Vulnerability Handling Process
document outlining the process we follow in addressing suspected
vulnerabilities in our products. We support responsible disclosure of
all vulnerability information in a timely manner to protect Symantec
customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided
below.

Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@symantec.com. The Symantec
Product Security PGP key can be obtained from the location provided
below.
Symantec-Product-Vulnerability-Response Symantec Vulnerability
Response Policy Symantec Product Vulnerability Management PGP Key
Symantec Product Vulnerability Management PGP Key
   _________________________________________________________________

Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Security Response. Reprinting the whole or part of this alert in any
medium other than electronically requires permission from
secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp.
and/or affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in this
document are the sole property of their respective companies/owners.
Initial Post on: Wednesday, 11-Jul-07 7:00:00
Last modified on: Thursday, 12-Jul-07 12:45:49

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================