Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
15 Jul 2002 Closed Medium 7.5 SYM02-011
@stake notified Symantec of a denial of service problem with outgoing http request through the http filter component on the Symantec Norton Internet Security 2001 personal firewall. Certain malformed requests resulted in a general protection fault (GPF) on the system.
Symantec Norton Internet Security 2001
Symantec Norton Personal Firewall 2001
Symantec Desktop Firewall 2.0
Symantec Desktop Firewall 2.01
The security professionals with @stake discovered a buffer overflow condition in the handling of outgoing http requests by the http filter on the Symantec Norton Internet Security 2001. During Symantec's testing this issue was found to impact the Symantec Norton Personal Firewall 2001 as well. The buffer overflow condition overwrites the first three bytes of the EDI register causing a kernel exception, resulting in a GPF on the targeted system and requiring a reboot.
The GPF is the result of improper error checking in the array allocated to store the hostname specified in the outgoing connection. By supplying an abnormally long hostname in the outgoing http request, the buffer in the http filter is overrun causing the kernel exception and the GPF.
This exception occurs whether the firewall rules permit outgoing http connections or not.
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0663 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec engineers verified the buffer overflow condition exists in Symantec's Norton Internet Security 2001, Symantec's Norton Personal Firewall 2001 as well as Symantec's Desktop Firewall 2.0 and 2.01. They have further determined that the GPF does not occur in the latest release of Symantec's Norton Personal Firewall 2002, Norton Internet Security 2002, Norton Internet Security 2002 Professional Edition nor the Symantec Client Security, Symantec's integrated antivirus, intrusion detection and firewall replacement for Symantec Desktop Firewall.
However, Symantec takes any product issue such as this very seriously. We are developing a patch for Symantec Norton Internet Security 2001, and Personal Firewall 2001 to address this issue. The patch will be available via LiveUpdate when completed. We are further enhancing the capabilities of future Symantec products to provide additional protection against these types of issues.
There are some circumstances that greatly mitigate the risk associated with this issue. The buffer overflow condition identified by @stake occurs only in outgoing http requests through the Symantec Norton Internet Security, Personal Firewall and Symantec Desktop Firewall product's http filter.
Any attempt to launch an attack of this nature requires the attacker to either have or be able to gain local access to the targeted system in order to initiate the http request or cause the system user, through a malicious email attachment or by directing the user to a malicious web site, to download and execute malicious code on their system.
Symantec recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications with current updates to provide multiple points of detection and protection to both inbound and outbound threats.
Users should keep vendor-supplied patches for all application software and operating systems up-to-date.
Users should further be wary of mysterious attachments and executables delivered via email.
Do not open attachments or executables from unknown sources. Always err on the side of caution.
Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment.
If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it.
Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Ollie Whitehouse and @stake, Inc. in identifying and providing technical details of areas of concern as well as working closely with Symantec so we could properly address the issue. Anyone with information on security issues with Symantec products should contact firstname.lastname@example.org.
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.