Symantec Security ResponseSMNTC-1083Symantec AntiVirus Decomposition Buffer Overflow
0.358 Low
EPSS
Percentile
97.2%
SUMMARY
Symantec is aware of a buffer overflow in its AntiVirus component used to decompose RAR (Roshal Archive). A specially crafted RAR file could potentially cause this buffer overflow to occur and possibly execute hostile content from the RAR file on the targeted system.
Risk Impact
High
Remote Access
|
Yes
—|—
Local Access
|
No
Authentication Required
|
No
Exploit publicly available
|
No
AFFECTED PRODUCTS
Vulnerable Products
- As Symantec continues to investigate this issue, the list of affected products may be updated.
- Product updates will be available from the Symantec support site: http://www.symantec.com/techsupp/ or via LiveUpdate when available.
- Only currently supported Symantec Products will be updated. Customers using unsupported versions are encouraged to upgrade to a supported version.
- Some product updates are available via Symantec LiveUpdate. Users will need to perform a manual LiveUpdate to receive and install these product updates.
To perform a manual update using Symantec LiveUpdate, users should:
* Open any installed Symantec product
* Click on LiveUpdate in the toolbar
* Run LiveUpdate until all available Symantec product updates are downloaded and installed
5. Product updates will initially be available for the English language versions. Localized versions of the update will be available as soon as fully tested. Please check for localized updates at your normal product support location.
To date, Symantec has not had any reports of attempts to exploit or customers impacted by this vulnerability.
Affected Enterprise Products
Products
|
Versions
|
Builds
|
Update To
—|—|—|—
Norton AntiVirus for Microsoft Exchange
|
2.18 and earlier
|
All
|
Symantec AntiVirus/Filtering for Microsoft Exchange
|
4.0.10.465 and earlier
|
All
|
Symantec Mail Security
|
8200
|
All
|
Symantec Mail Security for Microsoft Exchange
|
4.5.4 and earlier
|
All
|
4.6.3 and earlier
|
All
|
5.0.0.204
|
All
|
Symantec Mail Security for Domino NT
|
4.0.3 and earlier
|
All
|
4.1.4 and earlier
|
All
|
5.0.0.47
|
All
|
Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris)
|
3.0.11 and earlier
|
All
|
Symantec Scan Engine
|
5.0.1 and earlier
|
All
|
Symantec AntiVirus Scan Engine
|
4.1.8 and earlier
|
All
|
4.3.12 and earlier
|
All
|
Symantec AntiVirus Scan Engine for MS ISA
|
4.3.12 and earlier
|
All
|
Symantec AntiVirus Scan Engine for MS Sharepoint
|
4.3.12 and earlier
|
All
|
Symantec AntiVirus Scan Engine for Messaging
|
4.3.12 and earlier
|
All
|
Symantec AntiVirus for Network Attached Storage
|
4.3.12 and earlier
|
All
|
Symantec AntiVirus Scan Engine for Clearswift
|
4.3.12 and earlier
|
All
|
Symantec AntiVirus Scan Engine for Caching
|
4.3.12 and earlier
|
All
|
Symantec AntiVirus for SMTP
|
3.1.7 and earlier
|
All
|
Symantec Mail Security for SMTP
|
4.1.9 and earlier
|
All
|
Symantec Client Security
|
3.X
|
All
|
[3.0.2.2001
(MR2 PP1)
3.0.2 MP1](<http://www.symantec.com/techsupp/enterprise/select_product_updates.html>)
Symantec Web Security
|
3.0.1 and earlier
|
All
|
Symantec Gateway Security 5000 Series
|
3.0
|
All
|
Symantec Gateway Security 5400 Series
|
2.0
|
All
|
Symantec Gateway Security
|
1.0
|
All
|
Symantec Brightmail AntiSpam
|
6.0
|
All
|
5.5
|
All
|
4.0
|
All
|
Symantec AntiVirus Corporate Edition
|
10.X
|
All
|
[10.0.2.2001
(MR2 PP1)
10.0.2 MP1](<http://www.symantec.com/techsupp/enterprise/select_product_updates.html>)
Symantec AntiVirus for Macintosh
|
10.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
Affected Consumer Products
Products
|
Versions
|
Builds
|
Update to
—|—|—|—
Norton AntiVirus
|
2006
|
All
|
Common Client 2005-1.0.4 (via Live Update)
2005
|
All
|
Common Client 3.0.6 (via Live Update)
2004
|
All
|
Common Client 2.1.9 (via Live Update)
Norton Internet Security Professional
|
2006
|
All
|
Common Client 2005-1.0.4 (via Live Update)
2005 AntiSpyware Edition
|
All
|
Common Client 3.5.7 (via Live Update)
2005
|
All
|
Common Client 3.0.6 (via Live Update)
2004
|
All
|
Common Client 2.1.9 (via LiveUpdate)
Norton SystemWorks
|
2006
|
All
|
Common Client 2005-1.0.4 (via LiveUpdate)
2005
|
All
|
Common Client 3.0.6 (via LiveUpdate)
2004
|
All
|
Common Client 2.1.9 (via LiveUpdate)
Norton Personal Firewall
|
2006
|
All
|
Common Client 2005-1.0.4 (via LiveUpdate)
2005
|
All
|
Common Client 3.0.6 (via LiveUpdate)
2004
|
All
|
Common Client 2.1.9 (via LiveUpdate)
Norton AntiVirus for Macintosh
|
10.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
Norton AntiVirus for Macintosh
|
9.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
Norton Internet Security for Macintosh
|
3.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
Norton SystemWorks for Macintosh
|
3.X
|
All
|
Macintosh virus definitions dated January 4, 2006 or later
ADDITIONAL PRODUCT INFORMATION
Products Not Affected
Products
|
Versions
|
Builds
—|—|—
Symantec Antivirus Corporate Edition
|
9.X - all versions
|
All
8.X - all versions
|
All
Symantec Client Security
|
2.X
|
All
1.X
|
All
Symantec Enterprise Firewall
|
8.0
|
All
Symantec Clientless VPN Gateway 4400 Series
|
5.0
|
All
Symantec Firewall / VPN Appliance
|
100/200
|
All
Symantec Gateway Security 300/400 Series
|
2.0
|
All
Norton AntiVirus for Macintosh
|
7.X
|
All
Norton AntiVirus for Macintosh
|
8.X
|
All
Norton Internet Security for Macintosh
|
2.X
|
All
Symantec AntiVirus for HandHelds - Corporate Edition
|
All
|
All
Symantec AntiVirus for Handhelds
|
All
|
All
Symantec Client Security for Nokia
|
|
All
ISSUES
A specially crafted RAR file could potentially cause this buffer overflow to occur and possibly execute hostile content from the RAR file on the targeted system.
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE-2005-4438 to this issue.
MITIGATION
Symantec Response
Symantec is currently building, testing and distributing product updates for all supported affected products.
Mitigations
Symantec Security Response posted an antivirus based protection signature to LiveUpdate on December 20, 2005, providing a heuristic detection for potential exploits of the Symantec decomposer RAR archive vulnerability. This signature is available though LiveUpdate, to all desktop, server and gateway product versions of Symantec’s Security products and appliance solutions that contain the decomposer RAR archive. Symantec strongly recommends that customers immediately ensure their products are up-to-date to protect against possible threats.
Customers may also mitigate the risk to the antivirus component by disabling scanning of RAR compressed files until the vulnerable code is fixed. However, it is important to note that disabling RAR scanning may allow RAR files containing viruses through the security gateway.
Instructions to disable scanning of RAR compressed files for Symantec gateway products can be found at: <http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005122213230354>
To Disable scanning of RAR files in Auto-Protect for Norton AntiVirus 9 and Norton AntiVirus 10:
- Open the System Preferences
- Select the Norton Auto-Protect preference pane
- Set ‘Scan Compressed Files’ to ‘Off’
- Close the System Preferences
This will disable the use of the Decomposer Engine when Auto-Protect is scanning files.
ACKNOWLEDGEMENTS
Symantec thanks Alex Wheeler for providing coordination and working with Symantec to resolve this issue
REVISION
Revision History
12/22/05 - Updated product matrix, Additional mitigations
12/28/05 - Additional product updates, Refined mitigation
12/30/05 - Additional product updates
01/03/06 - Additional product updates
01/05/06 - Additional product updates
01/12/06 - Additional product updates
01/18/06 - Additional product updates
01/24/06 - Additional product updates
01/27/06 - Additional product updates
Related
