Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-1055
HistoryFeb 08, 2005 - 8:00 a.m.

Symantec UPX Parsing Engine Heap Overflow

2005-02-0808:00:00
Symantec Security Response
11

EPSS

0.005

Percentile

75.6%

JSON

SUMMARY

Symantec resolved a potential remote access compromise vulnerability reported by ISS X-Force. The vulnerability was identified in an early version of a Symantec antivirus scanning module responsible for parsing UPX compressed files that is still in limited use in some Symantec security products.

The vulnerable component fails to do proper bounds checks when analyzing certain container files for virus content. An attacker sending a specifically crafted UPX file could potentially compromise the targeted system.

NOTE: Users of affected products should ensure they are running a non-vulnerable product build or have installed recommended hotfixes.

If unable to update at this time, customers should implement the configuration procedures to disable the affected DEC2EXE module in those products, Symantec BrightMail, Symantec AntiVirus Corporate Edition and Symantec Client Security that are configurable, as documented in this advisory and associated product support Knowledge Base.

Symantec has NOT seen any active attempts against or organizations impacted by this issue. However, Symantec Security Response created Bloodhound.Exploit.26, a heuristic detection for attempts to exploit the DEC2EXE.dll heap overflow vulnerability. Virus definitions version 70209af (extended version 2/9/2005 rev. 32) or greater contain this heuristic and are available through Symantec LiveUpdate or Symantec’s Intelligent Updater.

AFFECTED PRODUCTS

Vulnerable Products (vulnerable builds/Maintenance Releases (MR) where indicated)
Enterprise Products

Norton AntiVirus for Microsoft Exchange 2.18 build 83
Symantec Mail Security for Microsoft Exchange 4.01 build 461
Symantec Mail Security for Microsoft Exchange 4.01 build 459
Symantec Mail Security for Microsoft Exchange 4.01 build 458
Symantec Mail Security for Microsoft Exchange 4.5 build 719
Symantec AntiVirus/Filtering for Domino NT 3.1 prior to build 3.1.1
Symantec Mail Security for Domino 4.0 prior to build 4.0.1
Symantec AntiVirus/Filtering for Domino Ports 3.0 
(AIX) | build 3.0.5  
(OS400, Linux, Solaris) | build 3.0.5

Symantec AntiVirus Scan Engine 4.0.X | all versions
Symantec AntiVirus Scan Engine 4.3.X | prior to build 4.3.3
Symantec AntiVirus Scan Engine for ISA 4.0.X | all versions
Symantec AntiVirus Scan Engine for ISA 4.3.x | prior to build 4.3.3
Symantec AntiVirus Scan Engine for Netapp Filer 4.0.X | All versions
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.X | prior to build 4.3.3
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0.X | All versions
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.X | prior to build 4.3.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0.X | All versions
Symantec AntiVirus Scan Engine for Bluecoat 4.3.X | prior to build 4.3.3
Symantec AntiVirus Scan Engine for Filers 4.3.X | prior to build 4.3.3
Symantec AntiVirus Scan Engine for Caching 4.3.X | prior to build 4.3.3
|
Symantec AntiVirus for SMTP 3.1.X | build 3.1.1
Symantec AntiVirus for SMTP 3.1.X | build 3.1.2
Symantec AntiVirus for SMTP 3.1.X | build 3.1.3
Symantec AntiVirus for SMTP 3.1.X | build 3.1.4
Symantec AntiVirus for SMTP 3.1.X | build 3.1.5
Symantec AntiVirus for SMTP 3.1.X | build 3.1.6
Symantec Mail Security for SMTP 4.0 | prior to build 4.0.2
Symantec Web Security 3.0.1.X | build 3.01.59
Symantec Web Security 3.0.1.X | build 3.01.60
Symantec Web Security 3.0.1.X | build 3.01.61
Symantec Web Security 3.0.1.X | build 3.01.62
Symantec Web Security 3.0.1.X | build 3.01.63
Symantec Web Security 3.0.1.X | build 3.01.67
Symantec Web Security 3.0.1.X | build 3.01.68
Symantec BrightMail AntiSpam 4.0 | All
Symantec BrightMail AntiSpam 5.5 | All
|
Symantec AntiVirus Corporate Edition 8.1.1 | build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1 | build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1 | build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1 | build 8.1.1.329
|
Symantec AntiVirus Corporate Edition 8.01 | build 8.01.434
Symantec AntiVirus Corporate Edition 8.01 | build 8.01.437
Symantec AntiVirus Corporate Edition 8.01 | build 8.01.446
Symantec AntiVirus Corporate Edition 8.01 | build 8.01.457
Symantec AntiVirus Corporate Edition 8.01 | build 8.01.460
Symantec AntiVirus Corporate Edition 8.01 | build 8.01.464
Symantec AntiVirus Corporate Edition 8.01 | build 8.01.471
|
Symantec Client Security 1.1.1 | MR1 build 8.1.1.314a
Symantec Client Security 1.1.1 | MR2 build 8.1.1.319
Symantec Client Security 1.1.1 | MR3 build 8.1.1.323
Symantec Client Security 1.1.1 | MR4 build 8.1.1.329
Symantec Client Security 1.1.1 | MR5 build 8.1.1.336
|
Symantec Client Security 1.0.1 | MR3 build 8.01.434
Symantec Client Security 1.0.1 | build 8.01.437
Symantec Client Security 1.0.1 | MR4 build 8.01.446
Symantec Client Security 1.0.1 | MR5 build 8.01.457
Symantec Client Security 1.0.1 | MR6 build 8.01.460
Symantec Client Security 1.0.1 | MR7 build 8.01.464
Symantec Client Security 1.0.1 | MR8 build 8.01.471
Symantec Gateway Security 2.0, 2.0.1 - 5400 Series |
Symantec Gateway Security 1.0 - 5300 Series |
|
Symantec Norton Antivirus 9.0 for Macintosh Corporate Edition |

Consumer Products

Symantec Norton Antivirus 2004 for Windows
Symantec Norton Internet Security 2004 (pro) for Windows
Symantec Norton System Works 2004 for Windows

Symantec Norton Antivirus 9.x for Macintosh Only when installed on OSX
Symantec Norton Internet Security 3.x for Macintosh Only when installed on OSX
Symantec Norton System Works 3.x for Macintosh Only when installed on OSX

ADDITIONAL PRODUCT INFORMATION

Non-Vulnerable Products (initial non-vulnerable build/Maintenance Release (MR) where indicated)
Enterprise Products

Norton AntiVirus for Microsoft Exchange 2.18 build 82 and earlier
Norton AntiVirus for Microsoft Exchange 2.18 build 85
Norton AntiVirus for Microsoft Exchange 2.18 build 88
Symantec Mail Security for Microsoft Exchange 4.0 build 456 and earlier
Symantec Mail Security for Microsoft Exchange 4.0 build 463
Symantec Mail Security for Microsoft Exchange 4.0 build 465
Symantec Mail Security for Microsoft Exchange 4.5 build 736
Symantec Mail Security for Microsoft Exchange 4.5 build 741
Symantec Mail Security for Microsoft Exchange 4.5 build 743
Symantec Mail Security for Microsoft Exchange 4.6 build 97
Symantec AntiSpam for SMTP 3.1 All
Symantec AntiVirus/Filtering for Domino NT 3.1 All
Symantec Mail Security for Domino 4.0 build 4.0.1
Symantec Mail Security for Domino 4.1 All
Symantec AntiVirus/Filtering for Domino Ports 3.0 
(S390)  | All  
(AIX)  | Prior to build 3.0.5  
(AIX)  | 3.0.6  
(OS400, Linux, Solaris)  | Prior to build 3.0.5  
(OS400, Linux, Solaris)  | build 3.0.7

Symantec AntiVirus Scan Engine 4.3 | build 4.3.3
Symantec AntiVirus Scan Engine for ISA 4.3.X | build 4.3.3
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.X | build 4.3.3
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.X | build 4.3.3
Symantec AntiVirus for Caching | build 4.3.3
Symantec AntiVirus Scan Engine for Microsoft Portal Server 4.3.X | All
Symantec AntiVirus Scan Engine for Bluecoat 4.3.X | build 4.3.3
Symantec AntiVirus Scan Engine for Filers 4.3.X | build 4.3.3
Symantec AntiVirus for Microsoft Office | All
SharePoint Portal Server 2003 | All
Symantec AntiVirus for SMTP 3.0 | build 3.0.0.29
Symantec AntiVirus for SMTP 3.1 | build 3.1.7
Symantec Mail Security for SMTP 4.0 | build 4.0.2
Symantec Mail Security for SMTP 4.1 | All
Symantec Web Security 3.01.x | Prior to build 3.01.59
Symantec Web Security 3.01.x | build 3.0.1.70
Symantec Web Security 3.01.x | build 3.0.1.72
Symantec BrightMail AntiSpam 6.0 | All
Symantec BrightMail AntiSpam 4.0 (Disable DEC2EXE per mitigation instructions)
Symantec BrightMail AntiSpam 5.5 (Disable DEC2EXE per mitigation instructions)
|
Symantec AntiVirus Corporate Edition 9.0 | STM build 9.0.0.338 (module installed but not loaded into memory)
Symantec AntiVirus Corporate Edition 9.0 | MR 1 build 9.0.1.1000
Symantec AntiVirus Corporate Edition 9.0 | MR 2 build 9.0.2.1000
Symantec AntiVirus Corporate Edition 9.0 | MR 3 build 9.0.3.1000
Symantec AntiVirus Corporate Edition 8.1.1 | build 8.1.0.825a
Symantec AntiVirus Corporate Edition 8.1.1 | build 8.1.1.366
Symantec AntiVirus Corporate Edition 8.0 | build 8.01.9374
Symantec AntiVirus Corporate Edition 8.0 | build 8.01.9378
Symantec AntiVirus Corporate Edition 8.0 | build 8.01.425a/b
Symantec AntiVirus Corporate Edition 8.0 | build 8.01.429c
Symantec AntiVirus Corporate Edition 8.0 | build 8.01.501
|
Symantec Client Security 2.0 | STM build 9.0.0.338 (module installed but not loaded into memory)
Symantec Client Security 2.0.1 | MR1 build 9.0.1.1000
Symantec Client Security 2.0.2 | MR2 build 9.0.2.1000
Symantec Client Security 2.0.3 | MR3 build 9.0.3.1000
|
Symantec Client Security 1.1 | Initial STM Release build 8.1.0.825a
Symantec Client Security 1.1.1 | MR6 build 8.1.1.266
Symantec Client Security 1.0 | build 8.01.9374
Symantec Client Security 1.0.0 | build 8.01.9378
Symantec Client Security 1.0.1 | MR1 build 8.01.425a/b
Symantec Client Security 1.0.1 | MR2 build 8.01.429c
Symantec Client Security 1.0.1 | MR9 build 8.01.501
|
Symantec Norton AntiVirus 7.6 (does not install the vulnerable module)
Symantec Mail-Gear |
Symantec I-Gear |
Symantec AntiVirus for HandHelds - Corporate Edition (does not install the DEC2EXE module)
Symantec Client Security for Nokia Communicator (does not install the DEC2EXE module)

Consumer Products
Symantec Norton Antivirus 2003
Symantec Norton Internet Security 2003 (pro)
Symantec Norton System Works 2003
Symantec Norton AntiVirus 2005
Symantec Norton Internet Security 2005
Symantec Norton System Works 2005 (Premier)
Symantec Norton Antivirus 7.x for Macintosh
Symantec Norton Antivirus 8.x for Macintosh
Symantec Norton Internet Security 2.x for Macintosh
Symantec Norton System Works 7.0 for Macintosh

Symantec Norton Antivirus 9.x for Macintosh update to latest defs disables vulnerable module
Symantec Norton Internet Security 3.x for Macintosh update to latest defs disables vulnerable module
Symantec Norton System Works 3.x for Macintosh update to latest defs disables vulnerable module
Symantec AntiVirus for Handhelds does not install the DEC2EXE module

ISSUES

Details
ISS X-Force notified Symantec of a vulnerability discovered in the DEC2EXE parsing engine module used in earlier versions of the Symantec scan engine. The vulnerable DEC2EXE engine contained a heap overflow that could be initiated by sending a specifically crafted UPX file that would be parsed by the vulnerable DEC2EXE engine. If successfully exploited, the attack could potentially result in remote arbitrary code execution and possible compromise of the targeted system.

The Common Vulnerabilities and Exposures (CVE) initiative has not yet assigned CVE Candidate CAN-2005-0249 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. This section will be revised when the CVE Candidate is assigned.

MITIGATION

Symantec Response
Symantec confirmed the vulnerability ISS identified in the original DEC2EXE engine. The DEC2EXE engine is no longer required to parse compressed files. Prior to ISS contacting Symantec with this vulnerability, Symantec had already removed the DEC2EXE engine from the scan engine upgrades implemented in the majority of Symantec products.

Symantec has NOT seen any active attempts against or organizations impacted by this issue. However, Symantec Security Response created Bloodhound.Exploit.26, a heuristic detection for attempts to exploit the DEC2EXE.dll heap overflow vulnerability. Virus definitions version 70209af (extended version 2/9/2005 rev. 32) or greater contain this heuristic and are available via Symantec LiveUpdate or Symantec’s Intelligent Updater.

Recommended Upgrades
As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends customers, if they are not already running a current non-vulnerable product version/build, upgrade to their appropriate product update immediately to protect against these types of threats.

Symantec product engineers have developed and released updates or Maintenance Releases for all impacted product versions that were not already upgraded in the latest product build release. Updates and Maintenance Releases are available either through Symantec’s LiveUpdate for those products that have LiveUpdate capability or from the Symantec Product Support site at http://www.symantec.com/techsupp.

	Symantec Gateway Security 5300/5400 Series:

Symantec has tested and posted Maintenance Releases to address this issue for the affected Symantec Gateway Security 5300/5400 Series. The Maintenance Release removes the DEC2EXE engine from the affected products and upgrades the scan engine to a new version.

Product specific hotfixes and updates are available through the Symantec Enterprise Support site http://www.symantec.com/techsupp.

Symantec strongly recommends customers, if they are not already running a current non-vulnerable product version/build, upgrade to their appropriate product update immediately to protect against these types of threats.

Mitigation:

	Symantec BrightMail AntiSpam versions 4.0 and 5.5

The DEC2EXE module can be easily and safely disabled through the brightmail.cfg file on both Solaris, Linux and Windows platforms.

	For Solaris and Linux:
	
	1. Locate brightmail.cfg . 
	   The default location for this file is /opt/mailwall
	
	2. Edit brightmail.cfg in the following way:
	   In the section labeled "Symantec 3 decomposer", remove the following line:
	   blsymdec3Engine: libdec2exe.so|5
	
	3. Restart BrightMail to reload the config file: 
                  /etc/init.d/mailwall restart  
	
	For Windows:

	1. Close any open instance of the Brightmail Administration Console.
	2. Locate brightmail.cfg . 
	   The default location for this file is c:\program files\brightmail\config
	
	3. Edit brightmail.cfg in the following way:
	   In the section labeled "Symantec 3 decomposer", remove the following line:
	  blsymdec3Engine: dec2exe.dll|5
	
	4. Restart the Brightmail AntiVirus Cleaner and the Brightmail Server services.

ACKNOWLEDGEMENTS

Symantec acknowledges the X-Force research team and X-Force’s Alex Wheeler for identifying this issue and coordinating with Symantec to resolve and release information about the issue

REVISION

Revision History
2/9/2005 - Updated Vulnerability details and mitigations. Updated CVE Candidate Number
2/11/2005 - Configuration modifications tested and added to disable vulnerable module in SAVCE and SCS. URL to Technical Support KB with details.
2/17/2005 - Further breakout to clarify vulnerable and non-vulnerable builds.

Related

cvelist 1
nvd 1
securityvulns 1
canvas 1
cert 1
cve 1
cvelist
cvelist
CVE-2005-0249
2005-02-08 05:00:00
nvd
nvd
CVE-2005-0249
2005-02-08 05:00:00
securityvulns
securityvulns
SYM05-003 Symantec UPX Parsing Engine Heap Overflow
2005-02-12 00:00:00
canvas
canvas
Immunity Canvas: NORTON_UPX
2005-02-08 05:00:00
cert
cert
Symantec products vulnerable to buffer overflow via a specially crafted UPX file
2005-02-10 00:00:00
cve
cve
CVE-2005-0249
2005-02-08 05:00:00

EPSS

0.005

Percentile

75.6%

JSON
Related for SMNTC-1055
cvelist1nvd1securityvulns1canvas1cert1cve1