Title

Multiple Vulnerabilities in Symantec Products (Cat I impact)

Discussion

Symantec has released two security advisories addressing multiple vulnerabilities in various Symantec products. To exploit these vulnerabilities, a remote attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code or cause a denial-of-service condition on affected systems. At this time, there are proof of concept exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. Symantec Intel Alert Management System Multiple Remote Code Execution Vulnerabilities - (CVE-2010-0110): The Intel Alert Management System (AMS2) is used in Symantec AntiVirus Corporate Edition Server (SAVCE), Symantec System Center (SSC), and Symantec Quarantine Server. AMS2 listens on TCP Port 38292 and allows SAVCE Administrators to send messages(i.e. email) if a user-specified event occurs. It is possible to send specially-crafted packets to the targeted server, causing a buffer overflow or allowing arbitrary commands to run, potentially executing arbitrary code. The successful exploitation of these vulnerabilities could result in a possible compromise of the affected products. Note: AMS2 has not been included in a default install of SAVCE Server or SSC since version 10.0. AMS2 was included in the default install of Quarantine Server prior to SEP 11.0 MR3. Symantec Intel Alert Management System Multiple Arbitrary Message Creation or Denial of Service Vulnerabilities - (CVE-2010-0111): The Intel Alert Management System (AMS2) is used in Symantec AntiVirus Corporate Edition Server (SAV) ,Symantec System Center(SSC), and Symantec Quarantine Server. AMS2 listens on TCP Port 38292 and allows Administrators to send messages (i.e. email) if a user-specified event occurs. Symantec was notified of multiple vulnerabilities in AMS2 that make it is possible to send specially-crafted AMS2 messages to the target machine. The results can allow for arbitrary events (launching a program, sending an email) or even shutdown the service through a DOS. The successful exploitation of this vulnerability could result in potential compromise of or a Denial of Service in the affected products. Note: AMS2 has not been included in a default install of SAV Server or SSC since version 10.0. AMS2 was included in a default install of Quarantine Server prior to SEP 11.0 MR3.

Check Content

See IAVM notice and vendor bulletin for additional information. Vulnerable Applications\Systems: Symantec AntiVirus Corporate Edition Server 10.x Symantec Systems Center 10.x Symantec Quarantine Server 3.6 Symantec Quarantine Server 3.5 View the About “Product” from the menu to view version and build numbers. Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista and later). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-26049

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.