More on Symantec vulnerabilities
UPDATE2:
Looks like the lastest Symantec/Norton AV definitions is causing some problems between Scriptlogic product and the AV. According some users that wrote to us, Symantec Av is detecting it as adware.slagent.
"Problem: Symantec/Norton Anti-virus definitions update released May 31st may cause your Desktop Authority or ScriptLogic Enterprise system to fail.
Solution: Refer to this KB Article with the resolution. http://www.scriptlogic.com /support/kb/displayarticle.asp ?UID=2324&Str=1529."
HOD: Pedro Bueno
------------------------------------------------------------------------------------------
The latest patches from Symantec are causing quite a bit of confusion. To reiterate again what Kevin wrote in his diary (http://isc.sans.org/diary.php?storyid=1368):
*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.
Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):
Symantec Antivirus Corporate Edition
10.1.0.394 -> 10.1.0.396 (there's a typo here on their web, it's not version 3)
10.1.0.400 -> 10.1.0.401
10.0.2.2010 -> 10.0.2.2011
10.0.2.2020 -> 10.0.2.2021
Symantec Client Security
3.1.0.394 -> 3.1.0.396
3.1.0.400 -> 3.1.0.401
3.0.2.2010 -> 3.0.2.2011
3.0.2.2020 -> 3.0.2.2021
Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.
There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port (effectively meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok.
On our test machine, the unmanaged installation of Symantec Antivirus Corporate Edition didn't have any listeners so it looks like it's safe, at least from a remote exploit over the network (patch in any case!).
If we get more information we'll update the diary. Thanks to Gary for help with this.
UPDATE
Symantec finally posted a nice web page with details what you have to do regarding the version you're running at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248.
Looks like the lastest Symantec/Norton AV definitions is causing some problems between Scriptlogic product and the AV. According some users that wrote to us, Symantec Av is detecting it as adware.slagent.
"Problem: Symantec/Norton Anti-virus definitions update released May 31st may cause your Desktop Authority or ScriptLogic Enterprise system to fail.
Solution: Refer to this KB Article with the resolution. http://www.scriptlogic.com
HOD: Pedro Bueno
------------------------------------------------------------------------------------------
The latest patches from Symantec are causing quite a bit of confusion. To reiterate again what Kevin wrote in his diary (http://isc.sans.org/diary.php?storyid=1368):
*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.
Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):
Symantec Antivirus Corporate Edition
10.1.0.394 -> 10.1.0.396 (there's a typo here on their web, it's not version 3)
10.1.0.400 -> 10.1.0.401
10.0.2.2010 -> 10.0.2.2011
10.0.2.2020 -> 10.0.2.2021
Symantec Client Security
3.1.0.394 -> 3.1.0.396
3.1.0.400 -> 3.1.0.401
3.0.2.2010 -> 3.0.2.2011
3.0.2.2020 -> 3.0.2.2021
Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.
There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port (effectively meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok.
On our test machine, the unmanaged installation of Symantec Antivirus Corporate Edition didn't have any listeners so it looks like it's safe, at least from a remote exploit over the network (patch in any case!).
If we get more information we'll update the diary. Thanks to Gary for help with this.
UPDATE
Symantec finally posted a nice web page with details what you have to do regarding the version you're running at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248.
Keywords:
0 comment(s)
My next class:
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
×
Diary Archives
Comments