Symantec Products Intel Alert Handler Remote DoS

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(51190);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2010-3268");
  script_bugtraq_id(45368);
  script_xref(name:"Secunia", value:"42593");

  script_name(english:"Symantec Products Intel Alert Handler Remote DoS");
  script_summary(english:"Checks version number of Symantec Antivirus/SEP");

  script_set_attribute(attribute:"synopsis",
    value:
"The remote Windows host has a service that is affected by a denial of
service vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Intel Alert Handler Service (hndlrsvc.exe) included with Alert
Management System 2 (AMS2), an optional component included with either
Symantec Antivirus Corporate Edition or Symantec Endpoint Protection
version prior to 11.x, is installed on the remote host.  The installed 
service reportedly fails to correctly handle 'CommandLine' field in an 
AMS request, and could be exploited by a remote attacker to crash the 
affected service.");

   # https://www.secureauth.com/labs/advisories/symantec-intel-handler-service-remote-dos
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?3ccc88b8");
  script_set_attribute(attribute:"see_also",value:"https://seclists.org/fulldisclosure/2010/Dec/261");
  script_set_attribute(attribute:"solution",value:
"Either upgrade to version 11.x since it does not use Intel AMS code
or disable Intel AMS.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"vuln_publication_date",value:"2010/12/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/12/13");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:symantec:endpoint_protection");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:intel:intel_alert_management_system");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2010-2020 Tenable Network Security, Inc.");

  script_dependencies("savce_installed.nasl", "smb_enum_services.nasl");
  script_require_keys("Antivirus/SAVCE/version", "SMB/svc/Intel Alert Handler");
  script_require_ports(139, 445);

  exit(0);
}

include("smb_func.inc");

version = get_kb_item_or_exit("Antivirus/SAVCE/version");

status = get_kb_item_or_exit("SMB/svc/Intel Alert Handler");
if (status != SERVICE_ACTIVE && report_paranoia < 2 )
    exit(0, "The Intel Alert Handler service is installed but not active.");

if (ver_compare(ver:version, fix:'11.0',strict:FALSE) == -1)
{
 if (report_verbosity > 0)
 {
   report =
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 11.x\n';
   security_warning(port:get_kb_item("SMB/transport"),extra:report);
 }
 else security_warning(get_kb_item("SMB/transport"));
 exit(0);
}
else exit(0,"Version "+ version + " is installed, and is not known to be affected.");