Symantec and Norton Security Products Contain Critical Vulnerabilities
Systems Affected
All Symantec and Norton branded antivirus products
Overview
Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.
Description
The vulnerabilities are listed below:
CVE-2016-2207
Symantec Antivirus multiple remote memory corruption unpacking RAR [1]
CVE-2016-2208
Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction. [2]
CVE-2016-2209
Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3]
CVE-2016-2210
Symantec: Remote Stack Buffer Overflow in dec2lha library [4]
CVE-2016-2211
Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives [5]
CVE-2016-3644
Symantec: Heap overflow modifying MIME messages [6]
CVE-2016-3645
Symantec: Integer Overflow in TNEF decoder [7]
CVE-2016 -3646
Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink [8]
Impact
The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event.
Solution
Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9] and SYM16-010 [10] security advisories.
Users and network administrators are encouraged to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.