|Security Advisory ID SYMSA1005|
Initial Publication Date:
22 Jan 2002
Symantec Corporation has been made aware of and is preparing an update to current Norton Internet Security, Norton Personal Firewall and Symantec Desktop Firewall products that corrects a potential exposure of the firewall logs to unauthorized modification. There is a potential issue with the file sharing parameters and default installation that could result in these logs file being modified or altered in a way that could affect the integrity of the logs and potentially be used in an attempt to hide unauthorized activity on the system.
The exposure of the log files to potential modification does not in anyway affect the security of the product. File modification merely provides a potential way for an intruder to attempt to disguise their illegal activities.
Nomad Mobile Research Centre (NMRC) Advisory, Subj: OpenFile Win32 API Log Overwriting/Rewriting
Symantec Norton Internet Security 200x
Symantec Norton Internet Security 200x Family Edition
Symantec Norton Internet Security Professional 2002
Symantec Norton Personal Firewall 200x
Symantec Desktop Firewall 2.0x
Symantec was notified by the NMRC of file sharing parameters issues in the way our desktop firewall applications open log files. This could possibly permit an unauthorized user on the system to potentially modify or delete the firewall logs in certain Symantec personal and Internet Security firewall products. The firewall log files are opened with FILE_SHARE_READ and FILE_SHARE_WRITE share access parameters. The issue here is that another application using the appropriate Win32 API call could potentially be used to re-open the firewall log files and overwrite the firewall log entries, even though the firewall application is running. Although the application's dialog tabs will still show the proper alert entries while the application is running, once the firewall service is stopped and restarted, the log entries reflect what was overwritten.
Additionally, the default install permissions allow everyone full control. This default permission could potentially allow a non-privileged user who, while not having permission on the Service Control Manager database to stop services, could still potentially open the log files, using calls to the file sharing parameters, and make appropriate modifications to the log files to remove alerts or any indications of attempted attacks against the targeted system. Once the firewall service is stopped and restarted, the log files would reflect the modified entries.
Symantec's Desktop Firewall, Norton Internet Security System and Norton Personal Firewall provide intrusion protection, firewall rules, and application control to protect individual PCs and small-networked systems from online threats. The sensitive information logged to the firewall log files is an important part of properly maintaining the security of the system and providing information on inbound and outbound system activity. Symantec is constantly working to upgrade the security of our products and is currently testing an update to further secure the firewall logs from any unauthorized access and modifications. This security update will be available via LiveUpdate.
Securing a user's computer from real and potential attacks by Internet threats takes a multi-tiered approach. Symantec's firewall solutions together with a leading antivirus solution such as Norton AntiVirus are complementary products and together form a comprehensive solution to online threats such as viruses and hackers. Additionally, Symantec recommends the following Best Practices to enhance protection of your systems to unauthorized access.
- Ensure there are strong, unique passwords established for each account on the system.
- If the system's firmware allows the setting of a password when the system is turned on, known as a BIOS or EEPROM password, enable and set the BIOS password (ensure it is unique from the account password).
- Control physical access to the system to prevent unauthorized individuals from gaining easy access to the system.
- Users should always practice safe computing to minimize their exposure to security risks.
- Users should keep their patch levels for all software up-to-date and be leery of mysterious attachments/executables coming from email, user groups, etc. Users should err on the side of caution by denying access to unexpected communication attempts, not opening attachments or executables from sources they don't know, and scan all attachments with an up-to-date anti-virus product before opening, even if the sender is known.
Symantec takes the security of their products very seriously and appreciates the coordination of NMRC in identifying and providing technical details of potential areas of concern so we can quickly address the issue