On June 28, 2016, Symantec Corporation acknowledged of two existing vulnerabilities referring their Antivirus Decomposer engine. The engine is used in their Endpoint protection and other Norton security products.
The security researcher Tavis Ormandy working for Google is the discoverer of the issues. He has reported them to the company. Both vulnerabilities concern malicious RAR files that once exploited may cause an application-level denial of service condition.
Malicious writers often utilize the technique of compressing the size of their malicious code via so-called “packers”. The technique itself is not malicious. However, when such file gets into the device, the antivirus product should unpack it and determine whether it contains malicious code or not. These files can be RAR, ZIP or other archived content. The act of the attacker to supply a chunk of code in the headers of the packed codes can trigger a flaw in the Antivirus Decomposer engine.
CVE-2016-5310 and CVE-2016-5309
Symantec defines the severity of the both issues as medium. Symantec titled the CVE-2016-5310 – “RAR decompression memory corruption” and the other name of CVE-2016-5309 is “RAR decompression OOB read”. Both can lead to denial of service impact.
“Parsing of maliciously formatted RAR container files may cause memory corruption. This may cause an application-level denial of service condition but does not allow any additional exploit opportunities.”
Source: Symantec Security Advisory
The attack could be easily triggered through an email attachment that contains the malicious RAR file. Another way is to send the victim a link to web page that tries to convince the user to download the RAR file.
Many of Symantec’s products are affected by CVE-2016-5310 and CVE-2016-5309. The list includes:
- Symantec Endpoint Protection (for Mac, Linux, and Windows)
- Symantec Endpoint Protection Cloud (SEPC) (for Mac and Windows)
- Symantec Protection Engine
- Symantec Mail Security for Microsoft Exchange (SMSMSE)
- Symantec Web Gateway
- And other enterprise and server solutions.
Patches are available for all affected products. Their Security Advisories Relating to Symantec Products – Symantec Decomposer Engine Security Update will help all users that use any of the affected products to patch them. We recommend you to follow the steps immediately and prevent any risks.