|Security Advisory ID SYMSA1004|
Initial Publication Date:
5 Oct 2001
The LiveUpdate component is an essential piece of technology providing a method to deliver product and virus definition updates directly to the desktop, gateway or server. A group of technicians, phenoelit.de, have indicated potential problems with LiveUpdate 1.4 and to a lesser degree with LiveUpdate 1.6 that could potentially result in deployment of malware or remote penetration of systems or in a Distributed Denial of Service (DDoS) attack.
Phenoelit Advisory #0815: http://www.phenoelit.de/stuff/LiveUpdate.txt
Symantec evaluates the risk impact of a potential attack of the nature described by Phenoelit to be medium to users who have not updated to LiveUpdate 1.6
Symantec LiveUpdate 1.4 through 1.6
The Phenoelit group's advisory states: "When LiveUpdate 1.4 is started (either by hand or as a scheduled task), it looks for the server 'update.symantec.com'. An attacker can use one of several attacks to return false information to the querying host. An attacker can use one of several attacks to return false information to the querying host such as:
- The attacker controls the DNS server and creates a master zone for symantec.com
- The attacker uses routing-based attacks to impersonate the DNS server
- The attacker uses DNS poisoning on the DNS server to return a false IP address
- The attacker uses layer 2 connection interception to impersonate the DNS server
- The attacker sends false DNS responses to the querying host
According to the Phenoelit group, when the host running LiveUpdate tries to connect to update.symantec.com via FTP, it is actually connecting to the FTP server of the attacker;s choice. LiveUpdate will then try to download the necessary file(s). This archive contains the file which holds a complete list of all Symantec product updates. After LiveUpdate has received the file, it will compare the product versions to the versions of the Symantec products installed on the host and check the appropriate sequence numbers to see if an update is required. If an update is required, LiveUpdate will receive the file specified, uncompress it and perform the actions described in the file. This includes the execution of downloaded executables.
LiveUpdate 1.6 follows the same procedure described above with one exception. The actual downloaded update contains "cryptographic signatures" of all update files. This signature makes it virtually impossible to use LiveUpdate 1.6 as a penetration tool. However, by specifying a large file location on the Internet, a scheduled LiveUpdate session in a medium sized company will lead to network degradation and outages due to the large amount of traffic generated..."
The DNS attacks described by the Phenoelit group are not new or unique to this issue. They have been widely known to be an Internet infrastructure problem, not a Symantec product problem, for some time and have been utilized in many well-publicized DNS spoofing, redirection, cache poisoning attacks. Due in part to the identification of these attacks and the emphasis placed on their impact to the Internet Infrastructure by such as the SANS Twenty Most Critical Internet Security Vulnerabilities, security of vulnerable Internet Name Servers is now being addressed in a more timely manner.
LiveUpdate 1.4 was first released four years ago and has been superceded by LiveUpdate 1.5 and most recently, LiveUpdate 1.6 which implemented additional security features. Users of Symantec products have been able to upgrade to LiveUpdate 1.6.x, as a product update since July 2000. Users who have not yet upgraded can find the latest version of Symantec LiveUpdate freely available from Symantec's Web site. All current releases of Symantec products ship with LiveUpdate 1.6.
Phenoelit's suggestion that users still using LiveUpdate 1.4 with Norton AntiVirus products are susceptible to mis-direction attacks that could cause them to download and run malicious executable is a misunderstanding of Norton AntiVirus capabilities. While misdirection at some point in the Internet Infrastructure is possible, any attempt to download malware and run unauthorized executables would be detected by Norton AntiVirus's AutoProtect feature and blocked from executing by Symantec's Script Blocking technology. Further, Symantec Security Response's 24 hour response would be able to rapidly create and disseminate signatures to detect and stop identified malicious activity.
Symantec's LiveUpdate 1.6 could potentially be temporarily affected by the DoS scenario depicted by the Phenoelit group however, only a small percentage of a very large user base could potentially be impacted to any degree as the spoofing or redirection would, by it's very nature, be limited to a local Internet area/region.
Symantec is constantly working to improve the security of our technology and will be releasing a new version of LiveUpdate in the near future that will further ensure the integrity of the product against attempted attacks of this nature.
Symantec takes the security of their products very seriously and appreciates the support of the Phenoelit group in identifying potential areas of concern