Alerts and Advisories

Advisory: Symantec Norton Anti-virus and Endpoint Protection – multiple high severity vulnerabilities

Created:  30 Jun 2016
Updated:  30 Jun 2016

Originally published by CERT-UK (now a part of the National Cyber Security Centre)

Executive summary

Multiple critical vulnerabilities have been reported in a number of different security products from Symantec, affecting both enterprise and consumer products.

These vulnerabilities include a ‘100% reliable remote exploit’ and a ‘wormable’ flaw that requires no user interaction by the victim for an attacker to exploit.

The vulnerabilities have been fixed by Symantec and performing a manual ‘LiveUpdate’ will update the software to the patched version. We recommend that all affected versions should be updated as soon as possible.


What is it?

Google Project Zero warned of multiple critical vulnerabilities in Symantec and Norton products, including a ‘100% reliable remote exploit’ and a ‘wormable’ flaw that requires no user interaction by the victim for an attacker to exploit.

The security flaws do not require any user interaction, they affect the default configuration, allowing the software to run at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel resulting in remote kernel memory corruption.

Both Symantec’s branded enterprise security solutions and the Norton branded versions for consumers are affected since the same core engine is used across the entire product line.

Which products are affected?

Affected products include, but are not limited to: Norton Antivirus (Mac, Windows), Symantec Endpoint (Mac, Windows, Linux, UNIX), Symantec Scan Engine (All Platforms), Symantec Cloud/NAS Protection Engine (All Platforms), Symantec Email Security (All Platforms), Symantec Protection for SharePoint/Exchange/Notes/etc (All Platforms), plus all other Symantec/Norton Carrier, Enterprise, SMB and Home versions.

Products running on Windows systems will result in remote code execution as SYSTEM and root on all other platforms.

What could happen if the vulnerabilities were exploited?

An attacker could exploit a vulnerability in Symantec’s unpacker – which runs in the kernel – by emailing a file to a victim or sending them a link. The victim does not need to open the file or interact with it in any way. As no interaction is necessary to exploit it, this is a wormable vulnerability with potentially serious consequences to users of Norton and Symantec products. An attacker could potentially compromise an entire enterprise fleet using a vulnerability like this.

Parsing of maliciously-formatted container files may cause memory corruption, integer overflow or buffer overflow in Symantec’s Decomposer engine. Successful exploitation of these vulnerabilities typically results in an application-level denial of service but could also result in arbitrary code execution. An attacker could potentially run arbitrary code by sending a specially crafted file to a user.

Another vulnerability is reported to be a 100% reliable remote exploit, effective against the default configuration in Norton Anti-virus and Symantec Endpoint, and is exploitable via email or the web.

Symantec have stated that they are not currently aware of these vulnerabilities having being exploited in the wild. However, now the vulnerability has been disclosed there will almost certainly be attempts to weaponise the vulnerability.

What can I do?

The vulnerabilities have been fixed by Symantec and performing a manual ‘LiveUpdate’ will update the software to the patched version. We recommend that all affected versions should be updated as soon as possible.

How can I tell if I am at risk?

The Help -> About Box in the product UI will show the version 22.7.0.x if the update has been successfully applied. If the version number is lower than this then your instance could be vulnerable.

Where can I find more information?

Symantec have released information on this under SYM16-010: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00

Was this information helpful?

We need your feedback to improve this content.

Yes No