U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA16-187A: Symantec and Norton Security Products Contain Critical 
Vulnerabilities
07/05/2016 10:50 AM EDT


Original release date: July 05, 2016

Systems Affected
All Symantec and Norton branded antivirus products

Overview
Symantec and Norton branded antivirus products contain multiple 
vulnerabilities. Some of these products are in widespread use throughout 
government and industry. Exploitation of these vulnerabilities could allow a 
remote attacker to take control of an affected system.

Description
The vulnerabilities are listed below:

CVE-2016-2207

Symantec Antivirus multiple remote memory corruption unpacking RAR [1]

CVE-2016-2208

Symantec antivirus products use common unpackers to extract malware binaries 
when scanning a system. A heap overflow vulnerability in the ASPack unpacker 
could allow an unauthenticated remote attacker to gain root privileges on
Linux 
or OSX platforms. The vulnerability can be triggered remotely using a
malicious 
file (via email or link) with no user interaction. [2]
CVE-2016-2209

Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3]
CVE-2016-2210

Symantec: Remote Stack Buffer Overflow in dec2lha library [4]
CVE-2016-2211

Symantec: Symantec Antivirus multiple remote memory corruption unpacking
MSPACK 
Archives [5]
CVE-2016-3644

Symantec: Heap overflow modifying MIME messages [6]
CVE-2016-3645

Symantec: Integer Overflow in TNEF decoder [7]
CVE-2016 -3646

Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink 
[8]


Impact
The large number of products affected (24 products), across multiple platforms 
(OSX, Windows, and Linux), and the severity of these vulnerabilities (remote 
code execution at root or SYSTEM privilege) make this a very serious event. A 
remote, unauthenticated attacker may be able to run arbitrary code at root or 
SYSTEM privileges by taking advantage of these vulnerabilities. Some of the 
vulnerabilities require no user interaction and are network-aware, which could 
result in a wormable-event.

Solution
Symantec has provided patches or hotfixes to these vulnerabilities in their 
SYM16-008 [9] and SYM16-010 [10] security advisories.

US-CERT encourages users and network administrators to patch Symantec or
Norton 
antivirus products immediately. While there has been no evidence of 
exploitation, the ease of attack, widespread nature of the products, and 
severity of the exploit may make this vulnerability a popular target.

References
[1] Symantec Antivirus multiple remote memory corruption unpacking RAR
[2] How to Compromise the Enterprise Endpoint
[3] Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow
[4] Symantec: Remote Stack Buffer Overflow in dec2lha library
[5] Symantec: Symantec Antivirus multiple remote memory corruption unpacking 
MSPACK Archives
[6] Symantec: Heap overflow modifying MIME messages
[7] Symantec: Integer Overflow in TNEF decoder
[8] Symantec: missing bounds checks in dec2zip 
ALPkOldFormatDecompressor::UnShrink
[9] Symantec SYM16-008 security advisory
[10] Symantec SYM16-010 security advisory
Revision History
July 5, 2016: Initial Release

----------------------------------------------------------------
-------------- 
-

This product is provided subject to this Notification and this Privacy & Use 
policy.


----------------------------------------------------------------
-------------- 
-
A copy of this publication is available at www.us-cert.gov. If you need help
or 
have questions, please send an email to info@us-cert.gov. Do not reply to this 
message since this email was sent from a notification-only address that is not 
monitored. To ensure you receive future US-CERT products, please add 
US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help


----------------------------------------------------------------
-------------- 
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf
of: 
United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW 
Bldg 410 · Washington, DC 20598 · (888) 282-0870  Powered by GovDelivery
=== Cut ===


-+-
Keep the faith   :^)

   Ben  aka cMech  Web: http|ftp|binkp|telnet://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
              Home page: http://cmech.dynip.com/homepage/
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC v1.1.5 via Mystic BBS
 * Origin: FIDONet - The Positronium Repository (1:393/68)