Symantec Alert Management System 2 multiple vulnerabilities

SUMMARY

The version of Alert Management System 2 (AMS2) used by some versions of Symantec System Center, Symantec Antivirus Server, and Symantec AntiVirus Central Quarantine Server contains four vulnerabilities.

AFFECTED PRODUCTS

Product

|

Version

|

Solution

—|—|—

Symantec AntiVirus Corporate Edition

|

9.0 MR6 and earlier

|

Update to SAV 9.0 MR7

10.0 all versions

|

Update to SAV 10.1 MR8

10.1 MR7 and earlier

|

Update to SAV 10.1 MR8

|

10.2 MR1 and earlier

|

Update to SAV 10.2 MR2

Symantec Client Security

|

2.0 MR6 and earlier

|

Update to SCS 2.0 MR7

3.0 all versions

|

Update to SCS 3.1 MR8

3.1 MR7 and earlier

|

Update to SCS 3.1 MR8

Symantec Endpoint Protection

|

11.0 MR2 and earlier

|

Update to SEP 11.0 MR3

Note: These vulnerabilities only impact the products indicated if the AMS2 component is installed. See the Symantec Response section for additional information.

ADDITIONAL PRODUCT INFORMATION

Unaffected Products

Product

|

Version

—|—

Norton product lines

|

All

Altiris Management Service

|

All

ISSUES

Risk Impact

High

Remote Access

|

Yes

—|—

Local Access

|

Yes

Authentication Required

|

No

Exploit available

|

No

MITIGATION

Details

Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server.
AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator.

Four vulnerabilities in AMS2 components have been reported to Symantec.

1) Intel Common Base Agent Remote Command Execution Vulnerability

The Intel LANDesk Common Base Agent (CBA) could allow a specially crafted packet sent to TCP Port 12174 to pass the packet contents as an argument to CreateProcessA(). The resulting command will be executed with SYSTEM privileges.

This vulnerability was discovered by Tenable Network Security, working through the Zero Day Initiative (ZDI).

2) Intel Alert Originator Service Stack Overflow Vulnerability

The Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to a stack buffer through a call to memcpy(). An attacker could use a specially crafted packet to overflow the stack, and execute code of their choice with SYSTEM rights.

This vulnerability was discovered by: Sebastian Apelt, working through the Zero Day Initiative (ZDI).

3) Intel Alert Originator Service Buffer Overflow Vulnerabilities

Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to it by the MsgSys.exe process. This could potentially lead to stack based buffer overflows during calls to strcpy() and memcpy(). An attacker could potentially leverage this to execute code of their choice with SYSTEM rights.

This vulnerability was discovered by Sebastian Apelt , working through the Zero Day Initiative (ZDI).

4) Alert Management System Console Arbitrary Program Execution Design Error Vulnerability

The Intel File Transfer service (XFR.EXE) provides file transfer capabilities to AMS2. A design error in XFR.EXE could allow an attacker to execute code of their choice with SYSTEM privileges on a vulnerable system. If an attacker is able to establish a TCP session with a vulnerable host, the issue could be exploited by placing arbitrary code on a fileshare or WebDav server, and then sending the UNC path to XFR.EXE. The code would then be executed on the vulnerable system.

This issue was reported by an anonymous finder, working through IDefense

Symantec Response

Symantec engineers verified that these vulnerabilities affect the products listed in the Affected Products table, above. Updates have been released to address these issues.

Symantec System Center Impact

Symantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in which allows an administrator to manage all Symantec AntiVirus platforms from a single, centralized location. Alert Management System 2 (AMS2) is an alerting feature of System Center that listens for specific events and sends notifications as specified by the administrator.

AMS2 is installed by default with Symantec System Center 9.0. AMS2 is an optional component in Symantec System Center 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.

Symantec AntiVirus Server Impact

AMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an optional component in Symantec AntiVirus Server 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.

Symantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server Impact

AMS2 is installed by default by Central Quarantine Server. These vulnerabilities will only impact systems if Quarantine Server has been installed.

Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. However, we recommend that any affected customers update their product immediately to protect against potential attempts to exploit these issues.

Certain localized language versions of SCS 2.0/SAV 9.x were not patched due to compatibility issues on the localized platforms. As a result, customers who are running the following versions are strongly recommended to update to a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a non-vulnerable version of SEP 11.x:

Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese licensed)

Mitigation

Reporting has replaced AMS2 as the recommended method of alerting. Symantec Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer include AMS2. Symantec recommends that customers who are still using AMS2 switch to Reporting to manage alerts in their environments. If the customer is unable to switch to Reporting immediately then Symantec recommends that the customer either disables AMS2 as a temporary mitigation or completely uninstall AMS2.

Best Practices

As a part of normal best practices, users should:

• Restrict access to computer systems to trusted users only.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of protection from inbound and outbound threats.
• Run under the principle of least privilege.

ACKNOWLEDGEMENTS

Symantec thanks the following people and organizations for reporting these issues, and coordinating with us on the resolution:

Zero Day Initiative (www.zerodayinitiative.com); Tenable Network Security (www.tenablesecurity.com/); Sebastian Apelt ([email protected]); iDefense (http://labs.idefense.com/), and an anonymous finder.

REFERENCES

These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. CVE has assigned CVE identifiers to these issues. These issues are also included in the SecurityFocus (http://www.securityfocus.com) BID database.

The following CVE and BID identifiers have been assigned to these issues:

Intel Common Base Agent Remote Command Execution Vulnerability
CVE CVE-2009-1429
BID 34671

Intel Alert Originator Service Stack Overflow Vulnerability
CVE CVE-2009-1430
BID 34672

Intel Alert Originator Service Buffer Overflow Vulnerabilities
CVE CVE-2009-1430
BID 34674

Alert Management System Console Arbitrary Program Execution Design Error Vulnerability
CVE CVE-2009-1431
BID 34675