Check Point Reference: | CPAI-2005-349 |
Date Published: | 6 Oct 2009 |
Severity: | Critical |
Last Updated: | Tuesday 06 October, 2009 |
Source: | |
Industry Reference: | CVE-2005-4438 |
Protection Provided by: |
Security Gateway |
Who is Vulnerable? | |
Vulnerability Description | Symantec antivirus scanning products are designed for enterprise and home environments for protection from potentially malicious files and network traffic. Numerous Symantec products that incorporate the antivirus scanning capabilities share among them common components and libraries. One such shared component is the set of decomposer libraries that allows for the decompression of numerous archive file formats. There exists a heap buffer overflow vulnerability in multiple Symantec products. The vulnerability is specifically contained in the Antivirus Library that is responsible for RAR archive decompression. A remote attacker may exploit this vulnerability to execute arbitrary code on the target host with System level privileges by delivering a crafted RAR archive. In an attack scenario, where arbitrary code is attempted to be injected and executed on the target host, the behavior of the target is dependent on the intention of the malicious code. The injected code will be executed in the security context of the target process, which is SYSTEM by default. If such an attack is not executed successfully, the current process of the vulnerable application may terminate as a result of the attack attempt. Note that the on-access virus scan application will still function after such termination. |
This protection will detect and block attempts to exploit this vulnerability
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:
Attack Name: Security Products Enforcement Violation.
Attack Information: Symantec AntiVirus RAR archive decompression buffer overflow