[PBARC] Symantec Norton Antivirus Device Driver Vulnerability

WOLF, EARNEST G [email protected]
Wed, 6 Aug 2003 10:27:10 -0500 

All,


SYNOPSIS

Problem: Symantec Norton Antivirus contains a device driver vulnerability that could allow a local attacker to cause a denial of service on the system, or possibly gain elevated privileges.

Recommendation: Because no patches are currently available for this vulnerability efforts should be made to restrict access to vulnerable systems, especially servers.
                                    

NETWORK SECURITY DISCUSSION

Network Security agrees with the priority level issued by Energy ISAC.   When a fix or patch is released more information will be provided.

ORIGINAL REACT ADVISORY

TRACKING ID2003-08-015
SUBMITTAL TYPE Vulnerability 
SEVERITY Urgent
RISK 8    (Normal: 0-7  Urgent: 8-9  Critical: 10)
INDUSTRY TYPE
DATE/TIME REPORTED 08/06/2003 14:34:15 GMT
EVENT SUBJECT Symantec Norton Antivirus Device Driver Vulnerability
EVENT SUMMARY Symantec Norton Antivirus contains a device driver vulnerability that could allow a local attacker to cause a denial of service on the system, or possibly gain elevated privileges.
EVENT DESCRIPTION Norton Antivirus 2002 and 2003 contain a device driver vulnerability that could potentially allow a local attacker to execute a denial of service (DoS) attack or gain elevated privileges on a server or workstation running the software.

The vulnerability is basically a buffer overflow that allows a local attacker to overwrite sensitive memory space and execute code with elevated privileges. Device drivers call the DeviceIoControl() function with a pointer passed as a parameter. Data is written to a memory location selected as an offset from the pointer parameter. The DeviceIoControl() function does not properly validate parameters to ensure that the memory location is valid.The device drivers run with kernel-level permissions, which could lead to a variety of exploits and attacks, ranging from DoS to code execution.

The vulnerability in Norton Antivirus is due to improper validation when certain device control operation handlers attempt to write to invalid memory locations. An attacker could exploit this vulnerability to crash the system or potentially gain elevated privileges.

This appears to be a developing type of attack that could affect a large number of applications and Win32 device drivers.
Risk Explanation: Norton Antivirus is in widespread use running on both workstations and servers. Exploit code for this vulnerability has been publicly released and patches are unavailable.
HOW DETECTED ISAC Advisory 
CATEGORIES 
RECOMMENDATIONS Because no patches are currently available for this vulnerability efforts should be made to restrict access to vulnerable systems, especially servers. 
CORRECTIVE ACTION No vendor supplied information is currently available. 
LESSONS LEARNED 
HARDWARE
OPERATING SYSTEMS
PLATFORMSServers
Workstations
APPLICATIONS Miscellaneous
IMPACT ON IT A local attacker can cause a denial of service or potentially gain elevated privileges on the system.