Symantec Security Advisory

SYM04-008

12 May, 2004 

Symantec Client Firewall Remote Access and Denial of Service Issues

Revision History
None

Risk Impact
High

Overview
eEye Digital Security notified Symantec Corporation of four vulnerability 
issues they discovered in the Symantec Client Firewall products for 
Windows. By properly exploiting these issues, an attacker could render the 
targeted system inoperable or execute remote code with kernel-level 
privileges on the targeted system.

Affected Components

Consumer
Symantec Norton Internet Security and Professional 2002, 2003, 2004
Symantec Norton Personal Firewall 2002, 2003, 2004
Symantec Norton AntiSpam 2004

Corporate
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)

Details
eEye Digital Security notified Symantec of four vulnerabilities they 
discovered during product testing on versions of Symantec's client 
firewall application.  eEye Digital Security found three instances where 
remote KERNEL-level access could potentially be gained.  Additionally, 
they reported a denial of service (DoS) issue that requires a system 
reboot to regain system utilization.

All issues occur within routines in the SYMDNS.SYS component.

The first issue is a stack overflow in the processing of DNS responses 
caused by improper bounds checking of external input. Successful 
exploitation of this issue could result in remote code execution on the 
targeted system with kernel-level privileges.

The second issue is a stack overflow in the processing of NetBIOS Name 
Service responses that can result in a memory overwrite.  If an attacker 
could successfully create the conditions required to manipulate this 
vulnerability they could potentially execute arbitrary code with 
kernel-level privileges.

The third remote execution issue is a potential heap corruption problem 
caused by improper bounds checking in the processing of NetBIOS Name 
Service responses.  If an attacker were to successfully exploit this 
condition, they could possibly execute arbitrary code on the targeted 
system with kernel-level privileges. 

The forth issue is a potential DoS condition caused by improper handling 
of DNS response packets.  Maliciously configured DNS responses can cause 
the targeted system to halt requiring a system reboot to clear the 
condition and regain system access.

Symantec Response
Symantec confirmed the vulnerabilities exist in the consumer and corporate 
Symantec Client Firewall applications as well as in Symantec's Norton 
AntiSpam 2004 application.  Symantec product engineers have developed 
fixes for the issues and released patches for all impacted products 
through Symantec LiveUpdate and technical support channels. 

Clients running consumer versions of the affected products who regularly 
run a manual Symantec LiveUpdate should already be protected against this 
issue.  However, to be sure they are fully protected, customers should 
manually run Symantec LiveUpdate to ensure all available updates are 
installed.
* Open any installed Symantec product
* Click on LiveUpdate in the toolbar
* Run LiveUpdate until Symantec LiveUpdate indicated that all installed 
Symantec products are up-to-date
* Depending on the application, system may require a reboot to effectively 
update available fixes.

Clients running the corporate versions of Symantec Client Firewall or 
Symantec Client Security should download and apply patches obtained 
through their appropriate support channels.

Symantec is not aware of any active attempts against or customer impact 
from this issue. 

CVE

The Common Vulnerabilities and Exposures (CVE) initiative has assigned 
Candidate names to these issues. 
Issues one, two and three are assigned under CVE Candidate Name, 
CAN-2004-0444

The fourth issue, the Denial of Service in NetBIOS Name Service is 
assigned CVE Candidate Name, CAN 2004-0445

These are candidates for inclusion in the CVE list (http://cve.mitre.org), 
which standardizes names for security problems.

Credit:
Symantec appreciates the cooperation of the eEye Digital Security research 
team in identifying this issue.

Symantec Product Security Contact:
Symantec takes the security and proper functionality of its products very 
seriously.  As founding members in the Organization for Internet Safety, 
Symantec follows the process of responsible disclosure.  Symantec also 
subscribes to the vulnerability guidelines outlined by the National 
Infrastructure Advisory Council (NIAC).  Please contact 
secure@symantec.com if you feel you have discovered a potential or actual 
security issue with a Symantec product.

Symantec strongly recommends using encrypted email for reporting 
vulnerability information to secure@symantec.com.  The Symantec Product 
Security PGP key can be obtained here.

This advisory is available on-line at 
http://securityresponse.symantec.com/avcenter/security/Content/2004. 05.12.html

--------------------------------------------------------------------------------

Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as 
it is not edited in any way unless authorized by Symantec Security 
Response. Reprinting the whole or parts of this alert in any medium other 
than electronically requires permission from symsecurity@symantec.com. 

Disclaimer
The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the 
information constitutes acceptance for use in an AS IS condition. There 
are no warranties with regard to this information. Neither the author nor 
the publisher accepts any liability for any direct, indirect, or 
consequential loss or damage arising from use of, or reliance on, this 
information.

Symantec, Symantec products, and SymSecurity are registered trademarks of 
Symantec Corp. and/or affiliated companies in the United States and other 
countries. All other registered and unregistered trademarks represented in 
this document are the sole property of their respective companies/owners.