The Symantec Alert Management System 2 (AMS2) is used by multiple Symantec products. The Intel File Transfer service is a component of AMS2 which is used to aid communication between the core server and managed clients. It listens on port 12174/TCP.
Problem
Due to a design flaw, the Intel File Transfer service can be used to execute arbitrary commands without authentication.
Exploit works on Symantec Alert Management System Intel File Transfer Service 6.12.0.130E.
The exploit must be able to bind to port 69/UDP on the SAINTexploit host.
Platforms
Windows
{"id": "SAINT:6409C2EAAB24D78B2AF926E74B1F108C", "bulletinFamily": "exploit", "title": "Symantec Alert Management System Intel File Transfer service command execution", "description": "Added: 05/06/2009 \nCVE: [CVE-2009-1431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1431>) \nBID: [34675](<http://www.securityfocus.com/bid/34675>) \nOSVDB: [54160](<http://www.osvdb.org/54160>) \n\n\n### Background\n\nThe Symantec Alert Management System 2 (AMS2) is used by multiple Symantec products. The Intel File Transfer service is a component of AMS2 which is used to aid communication between the core server and managed clients. It listens on port 12174/TCP. \n\n### Problem\n\nDue to a design flaw, the Intel File Transfer service can be used to execute arbitrary commands without authentication. \n\n### Resolution\n\nApply one of the solutions shown in [SYM09-007](<http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=786> \n\n\n### Limitations\n\nExploit works on Symantec Alert Management System Intel File Transfer Service 6.12.0.130E. \n\nThe exploit must be able to bind to port 69/UDP on the SAINTexploit host. \n\n### Platforms\n\nWindows \n \n\n", "published": "2009-05-06T00:00:00", "modified": "2009-05-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/symantec_ams_intel_file_transfer", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2009-1431"], "type": "saint", "lastseen": "2019-06-04T23:19:35", "edition": 4, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1431"]}, {"type": "seebug", "idList": ["SSV:11166"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:21759", "SECURITYVULNS:VULN:9886"]}, {"type": "saint", "idList": ["SAINT:A6CCE32107476ACC2A2820DD172D6C36", "SAINT:08AFBDF493213472517DC9076A21DC83"]}, {"type": "symantec", "idList": ["SMNTC-1175"]}], "modified": "2019-06-04T23:19:35", "rev": 2}, "score": {"value": 8.5, "vector": "NONE", "modified": "2019-06-04T23:19:35", "rev": 2}, "vulnersScore": 8.5}, "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:40:01", "description": "XFR.EXE in the Intel File Transfer service in the console in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allows remote attackers to execute arbitrary code by placing the code on a (1) share or (2) WebDAV server, and then sending the UNC share pathname to this service.\nPer vendor: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02\r\n\r\n\"Symantec System Center Impact\r\n\r\nSymantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in which allows an administrator to manage all Symantec AntiVirus platforms from a single, centralized location. Alert Management System 2 (AMS2) is an alerting feature of System Center that listens for specific events and sends notifications as specified by the administrator.\r\n\r\nAMS2 is installed by default with Symantec System Center 9.0. AMS2 is an optional component in Symantec System Center 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.\r\n\r\nSymantec AntiVirus Server Impact\r\n\r\nAMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an optional component in Symantec AntiVirus Server 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.\r\n\r\nSymantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server Impact\r\n\r\nAMS2 is installed by default by Central Quarantine Server. These vulnerabilities will only impact systems if Quarantine Server has been installed.\r\n\r\nSymantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. However, we recommend that any affected customers update their product immediately to protect against potential attempts to exploit these issues.\r\n\r\nCertain localized language versions of SCS 2.0/SAV 9.x were not patched due to compatibility issues on the localized platforms. As a result, customers who are running the following versions are strongly recommended to update to a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a non-vulnerable version of SEP 11.x:\r\n\r\nSymantec Client Security 2.0/Symantec AntiVirus Corporate Edition 9.x (Chinese Simplified and Chinese Traditional)\r\nSymantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Chinese Simplified and Chinese Traditional)\r\nSymantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean)\r\nSymantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese licensed)\"", "edition": 8, "cvss3": {}, "published": "2009-04-29T15:30:00", "title": "CVE-2009-1431", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1431"], "modified": "2019-09-20T14:10:00", "cpe": ["cpe:/a:symantec:system_center:*", "cpe:/a:symantec:antivirus:10.2", "cpe:/a:symantec:antivirus:9.0", "cpe:/a:symantec:client_security:3.1", "cpe:/a:symantec:client_security:2.0", "cpe:/a:symantec:antivirus:-", "cpe:/a:symantec:endpoint_protection:11.0", "cpe:/a:symantec:antivirus_central_quarantine_server:*"], "id": "CVE-2009-1431", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1431", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:symantec:antivirus:-:-:srv:*:*:*:*:*", "cpe:2.3:a:symantec:system_center:*:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:client_security:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:client_security:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:antivirus:10.2:*:corporate:*:*:*:*:*", "cpe:2.3:a:symantec:antivirus_central_quarantine_server:*:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:antivirus:9.0:-:corporate:*:*:*:*:*", "cpe:2.3:a:symantec:endpoint_protection:11.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1431"], "description": "Added: 05/06/2009 \nCVE: [CVE-2009-1431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1431>) \nBID: [34675](<http://www.securityfocus.com/bid/34675>) \nOSVDB: [54160](<http://www.osvdb.org/54160>) \n\n\n### Background\n\nThe Symantec Alert Management System 2 (AMS2) is used by multiple Symantec products. The Intel File Transfer service is a component of AMS2 which is used to aid communication between the core server and managed clients. It listens on port 12174/TCP. \n\n### Problem\n\nDue to a design flaw, the Intel File Transfer service can be used to execute arbitrary commands without authentication. \n\n### Resolution\n\nApply one of the solutions shown in [SYM09-007](<http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=786> \n\n\n### Limitations\n\nExploit works on Symantec Alert Management System Intel File Transfer Service 6.12.0.130E. \n\nThe exploit must be able to bind to port 69/UDP on the SAINTexploit host. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2009-05-06T00:00:00", "published": "2009-05-06T00:00:00", "id": "SAINT:08AFBDF493213472517DC9076A21DC83", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/symantec_ams_intel_file_transfer", "type": "saint", "title": "Symantec Alert Management System Intel File Transfer service command execution", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1431"], "edition": 2, "description": "Added: 05/06/2009 \nCVE: [CVE-2009-1431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1431>) \nBID: [34675](<http://www.securityfocus.com/bid/34675>) \nOSVDB: [54160](<http://www.osvdb.org/54160>) \n\n\n### Background\n\nThe Symantec Alert Management System 2 (AMS2) is used by multiple Symantec products. The Intel File Transfer service is a component of AMS2 which is used to aid communication between the core server and managed clients. It listens on port 12174/TCP. \n\n### Problem\n\nDue to a design flaw, the Intel File Transfer service can be used to execute arbitrary commands without authentication. \n\n### Resolution\n\nApply one of the solutions shown in [SYM09-007](<http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=786> \n\n\n### Limitations\n\nExploit works on Symantec Alert Management System Intel File Transfer Service 6.12.0.130E. \n\nThe exploit must be able to bind to port 69/UDP on the SAINTexploit host. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2009-05-06T00:00:00", "published": "2009-05-06T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/symantec_ams_intel_file_transfer", "id": "SAINT:A6CCE32107476ACC2A2820DD172D6C36", "type": "saint", "title": "Symantec Alert Management System Intel File Transfer service command execution", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-1431"], "description": "Intel File Transfer service allows to execute any program with system privilegees without authentication via TCP/12174.", "edition": 1, "modified": "2009-05-01T00:00:00", "published": "2009-05-01T00:00:00", "id": "SECURITYVULNS:VULN:9886", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9886", "title": "Symantec System Center (Symantec Client Security, Symantec Antivirus) code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "cvelist": ["CVE-2009-1431"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\niDefense Security Advisory 04.28.09\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nApr 28, 2009\r\n\r\nI. BACKGROUND\r\n\r\nSymantec System Center is an MMC (Microsoft Management Console) snap-in\r\nthat allows an administrator to remotely manage Symantec products. The\r\nSymantec System Center comes bundled with several Symantec products,\r\nincluding Symantec Client Security and Symantec AntiVirus. It contains\r\nan optional component called the Alert Management System Console. This\r\ncomponent starts a service (Intel File Transfer) that listens on TCP\r\nport 12174.\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a design error vulnerability in Symantec Corp.'s\r\nSymantec System Center may allow an attacker to execute arbitrary code\r\nwith SYSTEM privileges.\r\n\r\nThe vulnerability exists within the 'Intel File Transfer' service, which\r\nruns the xfr.exe application. When sent a properly formatted request,\r\nthis service will extract a string from the request, and use it as the\r\npath of a program to execute as a new Process. The process will be\r\nstarted with SYSTEM privileges.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability allows an attacker to execute\r\narbitrary code with SYSTEM privileges. In order to exploit this\r\nvulnerability, an attacker must be able to establish a TCP session on\r\nport 12174 with the vulnerable host.\r\n\r\nThe vulnerable service is actually part of LANDesk Management Suite. It\r\nis not clear whether the behavior described is part of the intended\r\nfunctionality of the program. However, the manner in which the service\r\nis being used by the Symantec System Center is unsafe.\r\n\r\nIn a default client type installation, the Symantec System Center is not\r\ninstalled. The System Center would normally be found on the network\r\nadministrator's system. In addition, the Alert Management System\r\nConsole is not a default option in the installation of the System\r\nCenter.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability in Symantec\r\nClient Security version 3.1. Previous versions may also be affected.\r\n\r\nSymantec has confirmed the existence of this vulnerability in the\r\nfollowing products:\r\n\r\nSymantec AntiVirus Corporate Edition Version 9.0 MR6 and earlier\r\n\r\nSymantec AntiVirus Corporate Edition Version 10.0 all versions\r\n\r\nSymantec AntiVirus Corporate Edition Version 10.1 MR7 and earlier\r\n\r\nSymantec AntiVirus Corporate Edition Version 10.2 MR1 and earlier\r\n\r\nSymantec Client Security Version 2.0 MR6 and earlier\r\n\r\nSymantec Client Security Version 3.0 all versions\r\n\r\nSymantec Client Security Version 3.1 MR7 and earlier\r\n\r\nSymantec Endpoint Protection Version 11.0 MR2 and earlier\r\n\r\nV. WORKAROUND\r\n\r\nThe 'Intel File Transfer' service (which launches xfr.exe) can be\r\ndisabled via the Service Manager. However, this may impair the\r\noperation of the Alert Management Service (AMS).\r\n\r\nSymantec recommends users of the AMS switch to 'Reporting' to manage\r\nalerts in their environments, and disable or uninstall AMS as a\r\ntemporary mitigation.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nSymantec has released a patch which addresses this issue. For more\r\ninformation, consult their advisory at the following URL:\r\n\r\nhttp://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2009-1431 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n10/09/2007 - Initial Contact\r\n10/09/2007 - Initial Vendor Response\r\n08/27/2008 - Vendor Status Update\r\n12/11/2008 - Requested Status Update\r\n12/11/2008 - Vendor Status Update\r\n04/14/2009 - Requested CVE\r\n04/14/2009 - Requested Status Update\r\n04/15/2009 - Vendor Status Update\r\n04/28/2009 - Coordinated Public Disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2009 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFJ+IGjbjs6HoxIfBkRAvcOAJ0RTXsiFdCS99wP6eCPIhnFn745HwCfU4m2\r\nYcW8RzpL/4bcgDrjg1Lz3K8=\r\n=6lcO\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-05-01T00:00:00", "published": "2009-05-01T00:00:00", "id": "SECURITYVULNS:DOC:21759", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21759", "title": "iDefense Security Advisory 04.29.09: Symantec System Center Alert Management System Console Arbitrary Program Execution Design Error Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:51:58", "description": "BUGTRAQ ID: 34675\r\nCVE(CAN) ID: CVE-2009-1431\r\n\r\nSymantec AntiVirus\u662f\u975e\u5e38\u6d41\u884c\u7684\u6740\u6bd2\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nSymantec\u6740\u6bd2\u8f6f\u4ef6\u4ea7\u54c1\u4e2d\u6346\u7ed1\u6709Symantec System Center\u4ee5\u4fbf\u7ba1\u7406\u5458\u8fdc\u7a0b\u7ba1\u7406Symantec\u4ea7\u54c1\u3002Symantec System Center\u5305\u542b\u6709\u4e00\u4e2a\u540d\u4e3a\u8b66\u544a\u7ba1\u7406\u7cfb\u7edf\u63a7\u5236\u53f0\u7684\u53ef\u9009\u7ec4\u4ef6\uff0c\u8be5\u7ec4\u4ef6\u4f1a\u5728TCP 12174\u7aef\u53e3\u4e0a\u542f\u52a8Intel File Transfer\u670d\u52a1\uff08XFR.EXE\uff09\u3002\u5982\u679c\u8fdc\u7a0b\u653b\u51fb\u8005\u5411XFR.EXE\u670d\u52a1\u53d1\u9001\u4e86\u7279\u5236\u8bf7\u6c42\u7684\u8bdd\uff0c\u670d\u52a1\u4f1a\u4ece\u8bf7\u6c42\u4e2d\u83b7\u53d6\u5b57\u7b26\u4e32\u5e76\u7528\u4f5c\u6240\u8981\u6267\u884c\u65b0\u8fdb\u7a0b\u7684\u8def\u5f84\u3002\r\n\r\n\u653b\u51fb\u8005\u53ef\u4ee5\u521b\u5efa\u5230\u6709\u6f0f\u6d1e\u4e3b\u673a\u7684TCP\u4f1a\u8bdd\uff0c\u4e4b\u540e\u5728\u6587\u4ef6\u5171\u4eab\u6216WebDav\u670d\u52a1\u5668\u4e0a\u653e\u7f6e\u4efb\u610f\u4ee3\u7801\u3002\u5411XFR.EXE\u670d\u52a1\u53d1\u9001UNC\u8def\u5f84\u5c31\u4f1a\u5bfc\u81f4\u5728\u7528\u6237\u673a\u5668\u4e0a\u6267\u884c\u8fd9\u4e9b\u4ee3\u7801\u3002\n\nSymantec Client Security 3.1\r\nSymantec Client Security 3.0\r\nSymantec Client Security 2.0\r\nSymantec AntiVirus Corporate Edition 9.0\r\nSymantec AntiVirus Corporate Edition 10.2\r\nSymantec AntiVirus Corporate Edition 10.1\r\nSymantec AntiVirus Corporate Edition 10.0\r\nSymantec Endpoint Protection 11.0\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u5207\u6362\u5230Reporting\u7ba1\u7406\u8b66\u544a\uff0c\u5e76\u7981\u7528\u6216\u5378\u8f7d\u8b66\u544a\u7ba1\u7406\u670d\u52a1\uff08AMS\uff09\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nSymantec\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://www.symantec.com/ target=_blank rel=external nofollow>http://www.symantec.com/</a>", "published": "2009-05-01T00:00:00", "title": "Symantec\u6740\u6bd2\u8f6f\u4ef6Intel File Transfer\u670d\u52a1\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1431"], "modified": "2009-05-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11166", "id": "SSV:11166", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "symantec": [{"lastseen": "2020-12-24T10:42:38", "bulletinFamily": "software", "cvelist": ["CVE-2009-1429", "CVE-2009-1430", "CVE-2009-1431"], "description": "### SUMMARY\n\n \n\nThe version of Alert Management System 2 (AMS2) used by some versions of Symantec System Center, Symantec Antivirus Server, and Symantec AntiVirus Central Quarantine Server contains four vulnerabilities.\n\n### AFFECTED PRODUCTS\n\n \n\n**Product**\n\n| \n\n**Version**\n\n| \n\n**Solution** \n \n---|---|--- \n \nSymantec AntiVirus Corporate Edition\n\n| \n\n9.0 MR6 and earlier\n\n| \n\nUpdate to SAV 9.0 MR7 \n \n10.0 all versions\n\n| \n\nUpdate to SAV 10.1 MR8 \n \n10.1 MR7 and earlier\n\n| \n\nUpdate to SAV 10.1 MR8 \n \n \n\n| \n\n10.2 MR1 and earlier\n\n| \n\nUpdate to SAV 10.2 MR2 \n \nSymantec Client Security\n\n| \n\n2.0 MR6 and earlier\n\n| \n\nUpdate to SCS 2.0 MR7 \n \n3.0 all versions\n\n| \n\nUpdate to SCS 3.1 MR8 \n \n3.1 MR7 and earlier\n\n| \n\nUpdate to SCS 3.1 MR8 \n \nSymantec Endpoint Protection\n\n| \n\n11.0 MR2 and earlier\n\n| \n\nUpdate to SEP 11.0 MR3 \n \n \n**Note**: These vulnerabilities only impact the products indicated if the AMS2 component is installed. See the Symantec Response section for additional information.\n\n### ADDITIONAL PRODUCT INFORMATION\n\n \n\n**Unaffected Products**\n\n**Product**\n\n| \n\n**Version** \n \n---|--- \n \nNorton product lines\n\n| \n\nAll \n \nAltiris Management Service\n\n| \n\nAll \n \n### ISSUES\n\n \n\n**Risk Impact**\n\nHigh\n\nRemote Access\n\n| \n\nYes \n \n---|--- \n \nLocal Access\n\n| \n\nYes \n \nAuthentication Required\n\n| \n\nNo \n \nExploit available\n\n| \n\nNo \n \n### MITIGATION\n\n \n\n**Details**\n\nAlert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server. \nAMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator. \n \nFour vulnerabilities in AMS2 components have been reported to Symantec.\n\n**1) Intel Common Base Agent Remote Command Execution Vulnerability**\n\nThe Intel LANDesk Common Base Agent (CBA) could allow a specially crafted packet sent to TCP Port 12174 to pass the packet contents as an argument to CreateProcessA(). The resulting command will be executed with SYSTEM privileges. \n \nThis vulnerability was discovered by Tenable Network Security, working through the Zero Day Initiative (ZDI).\n\n**2) Intel Alert Originator Service Stack Overflow Vulnerability**\n\nThe Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to a stack buffer through a call to memcpy(). An attacker could use a specially crafted packet to overflow the stack, and execute code of their choice with SYSTEM rights. \n \nThis vulnerability was discovered by: Sebastian Apelt, working through the Zero Day Initiative (ZDI).\n\n**3) Intel Alert Originator Service Buffer Overflow Vulnerabilities**\n\nIntel Alert Originator Service (IAO.EXE) does not properly validate data sent to it by the MsgSys.exe process. This could potentially lead to stack based buffer overflows during calls to strcpy() and memcpy(). An attacker could potentially leverage this to execute code of their choice with SYSTEM rights. \n \nThis vulnerability was discovered by Sebastian Apelt , working through the Zero Day Initiative (ZDI).\n\n**4) Alert Management System Console Arbitrary Program Execution Design Error Vulnerability**\n\nThe Intel File Transfer service (XFR.EXE) provides file transfer capabilities to AMS2. A design error in XFR.EXE could allow an attacker to execute code of their choice with SYSTEM privileges on a vulnerable system. If an attacker is able to establish a TCP session with a vulnerable host, the issue could be exploited by placing arbitrary code on a fileshare or WebDav server, and then sending the UNC path to XFR.EXE. The code would then be executed on the vulnerable system. \n \nThis issue was reported by an anonymous finder, working through IDefense\n\n \n\n**Symantec Response**\n\nSymantec engineers verified that these vulnerabilities affect the products listed in the Affected Products table, above. Updates have been released to address these issues. \n \nSymantec System Center Impact \n \nSymantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in which allows an administrator to manage all Symantec AntiVirus platforms from a single, centralized location. Alert Management System 2 (AMS2) is an alerting feature of System Center that listens for specific events and sends notifications as specified by the administrator. \n \nAMS2 is installed by default with Symantec System Center 9.0. AMS2 is an optional component in Symantec System Center 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed. \n \nSymantec AntiVirus Server Impact \n \nAMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an optional component in Symantec AntiVirus Server 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed. \n \nSymantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server Impact \n \nAMS2 is installed by default by Central Quarantine Server. These vulnerabilities will only impact systems if Quarantine Server has been installed. \n \nSymantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. However, we recommend that any affected customers update their product immediately to protect against potential attempts to exploit these issues. \n \nCertain localized language versions of SCS 2.0/SAV 9.x were not patched due to compatibility issues on the localized platforms. As a result, customers who are running the following versions are strongly recommended to update to a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a non-vulnerable version of SEP 11.x: \n \nSymantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean) \nSymantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese licensed)\n\n \n\n**Mitigation**\n\nReporting has replaced AMS2 as the recommended method of alerting. Symantec Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer include AMS2. Symantec recommends that customers who are still using AMS2 switch to Reporting to manage alerts in their environments. If the customer is unable to switch to Reporting immediately then Symantec recommends that the customer either disables AMS2 as a temporary mitigation or completely uninstall AMS2.\n\n \n\n**Best Practices**\n\nAs a part of normal best practices, users should: \n\n * Restrict access to computer systems to trusted users only.\n * Keep all operating systems and applications updated with the latest vendor patches.\n * Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of protection from inbound and outbound threats.\n * Run under the principle of least privilege.\n\n### ACKNOWLEDGEMENTS\n\n \n\nSymantec thanks the following people and organizations for reporting these issues, and coordinating with us on the resolution: \n \nZero Day Initiative ([www.zerodayinitiative.com](<http://www.zerodayinitiative.com/>)); Tenable Network Security ([www.tenablesecurity.com/](<http://www.tenablesecurity.com/>)); Sebastian Apelt ([webmaster@buzzworld.org](<mailto:webmaster@buzzworld.org>)); iDefense ([http://labs.idefense.com/](<http://labs.idefense.com/>)), and an anonymous finder.\n\n### REFERENCES\n\n \n\nThese issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list ([http://cve.mitre.org](<http://cve.mitre.org/>)), which standardizes names for security problems. CVE has assigned CVE identifiers to these issues. These issues are also included in the SecurityFocus ([http://www.securityfocus.com](<http://www.securityfocus.com/>)) BID database. \n \nThe following CVE and BID identifiers have been assigned to these issues: \n \nIntel Common Base Agent Remote Command Execution Vulnerability \nCVE CVE-2009-1429 \nBID 34671 \n \n \nIntel Alert Originator Service Stack Overflow Vulnerability \nCVE CVE-2009-1430 \nBID 34672 \n \n \nIntel Alert Originator Service Buffer Overflow Vulnerabilities \nCVE CVE-2009-1430 \nBID 34674 \n \n \nAlert Management System Console Arbitrary Program Execution Design Error Vulnerability \nCVE CVE-2009-1431 \nBID 34675\n\n \n", "modified": "2020-03-06T14:48:51", "published": "2009-04-28T08:00:00", "id": "SMNTC-1175", "href": "", "type": "symantec", "title": "Symantec Alert Management System 2 multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
