10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
The version of Alert Management System 2 (AMS2) used by some versions of Symantec System Center, Symantec Antivirus Server, and Symantec AntiVirus Central Quarantine Server contains four vulnerabilities.
Product
|
Version
|
Solution
—|—|—
Symantec AntiVirus Corporate Edition
|
9.0 MR6 and earlier
|
Update to SAV 9.0 MR7
10.0 all versions
|
Update to SAV 10.1 MR8
10.1 MR7 and earlier
|
Update to SAV 10.1 MR8
|
10.2 MR1 and earlier
|
Update to SAV 10.2 MR2
Symantec Client Security
|
2.0 MR6 and earlier
|
Update to SCS 2.0 MR7
3.0 all versions
|
Update to SCS 3.1 MR8
3.1 MR7 and earlier
|
Update to SCS 3.1 MR8
Symantec Endpoint Protection
|
11.0 MR2 and earlier
|
Update to SEP 11.0 MR3
Note: These vulnerabilities only impact the products indicated if the AMS2 component is installed. See the Symantec Response section for additional information.
Unaffected Products
Product
|
Version
—|—
Norton product lines
|
All
Altiris Management Service
|
All
Risk Impact
High
Remote Access
|
Yes
—|—
Local Access
|
Yes
Authentication Required
|
No
Exploit available
|
No
Details
Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server.
AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator.
Four vulnerabilities in AMS2 components have been reported to Symantec.
1) Intel Common Base Agent Remote Command Execution Vulnerability
The Intel LANDesk Common Base Agent (CBA) could allow a specially crafted packet sent to TCP Port 12174 to pass the packet contents as an argument to CreateProcessA(). The resulting command will be executed with SYSTEM privileges.
This vulnerability was discovered by Tenable Network Security, working through the Zero Day Initiative (ZDI).
2) Intel Alert Originator Service Stack Overflow Vulnerability
The Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to a stack buffer through a call to memcpy(). An attacker could use a specially crafted packet to overflow the stack, and execute code of their choice with SYSTEM rights.
This vulnerability was discovered by: Sebastian Apelt, working through the Zero Day Initiative (ZDI).
3) Intel Alert Originator Service Buffer Overflow Vulnerabilities
Intel Alert Originator Service (IAO.EXE) does not properly validate data sent to it by the MsgSys.exe process. This could potentially lead to stack based buffer overflows during calls to strcpy() and memcpy(). An attacker could potentially leverage this to execute code of their choice with SYSTEM rights.
This vulnerability was discovered by Sebastian Apelt , working through the Zero Day Initiative (ZDI).
4) Alert Management System Console Arbitrary Program Execution Design Error Vulnerability
The Intel File Transfer service (XFR.EXE) provides file transfer capabilities to AMS2. A design error in XFR.EXE could allow an attacker to execute code of their choice with SYSTEM privileges on a vulnerable system. If an attacker is able to establish a TCP session with a vulnerable host, the issue could be exploited by placing arbitrary code on a fileshare or WebDav server, and then sending the UNC path to XFR.EXE. The code would then be executed on the vulnerable system.
This issue was reported by an anonymous finder, working through IDefense
Symantec Response
Symantec engineers verified that these vulnerabilities affect the products listed in the Affected Products table, above. Updates have been released to address these issues.
Symantec System Center Impact
Symantec System Center (SSS) is a Microsoft Management Console (MMC) plug-in which allows an administrator to manage all Symantec AntiVirus platforms from a single, centralized location. Alert Management System 2 (AMS2) is an alerting feature of System Center that listens for specific events and sends notifications as specified by the administrator.
AMS2 is installed by default with Symantec System Center 9.0. AMS2 is an optional component in Symantec System Center 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.
Symantec AntiVirus Server Impact
AMS2 is installed by default with Symantec AntiVirus Server 9.0. AMS2 is an optional component in Symantec AntiVirus Server 10.0 or 10.1. These vulnerabilities will only impact systems if AMS has been installed.
Symantec AntiVirus and Symantec Endpoint Protection Central Quarantine Server Impact
AMS2 is installed by default by Central Quarantine Server. These vulnerabilities will only impact systems if Quarantine Server has been installed.
Symantec is not aware of any customers impacted by these issues, or of any attempts to exploit them. However, we recommend that any affected customers update their product immediately to protect against potential attempts to exploit these issues.
Certain localized language versions of SCS 2.0/SAV 9.x were not patched due to compatibility issues on the localized platforms. As a result, customers who are running the following versions are strongly recommended to update to a non-vulnerable SCS 2.0/SAV 9 International English version or upgrade to a non-vulnerable version of SEP 11.x:
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Korean)
Symantec Client Security 2.0/Symantec AntiVirus Business Pack 9.x (Japanese licensed)
Mitigation
Reporting has replaced AMS2 as the recommended method of alerting. Symantec Endpoint Protection Central Quarantine Server 11.0 MR3 and later no longer include AMS2. Symantec recommends that customers who are still using AMS2 switch to Reporting to manage alerts in their environments. If the customer is unable to switch to Reporting immediately then Symantec recommends that the customer either disables AMS2 as a temporary mitigation or completely uninstall AMS2.
Best Practices
As a part of normal best practices, users should:
Symantec thanks the following people and organizations for reporting these issues, and coordinating with us on the resolution:
Zero Day Initiative (www.zerodayinitiative.com); Tenable Network Security (www.tenablesecurity.com/); Sebastian Apelt ([email protected]); iDefense (http://labs.idefense.com/), and an anonymous finder.
These issues are candidates for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. CVE has assigned CVE identifiers to these issues. These issues are also included in the SecurityFocus (http://www.securityfocus.com) BID database.
The following CVE and BID identifiers have been assigned to these issues:
Intel Common Base Agent Remote Command Execution Vulnerability
CVE CVE-2009-1429
BID 34671
Intel Alert Originator Service Stack Overflow Vulnerability
CVE CVE-2009-1430
BID 34672
Intel Alert Originator Service Buffer Overflow Vulnerabilities
CVE CVE-2009-1430
BID 34674
Alert Management System Console Arbitrary Program Execution Design Error Vulnerability
CVE CVE-2009-1431
BID 34675