Intrusion Prevention

Symantec.Norton.UPX.File.Heap.Overflow

Description

This indicates a possible exploit of a buffer overflow vulnerability in the Symantec AntiVirus Library.
The DEC2EXE module of Symantec AntiVirus Library is used to parse UPX (Ultimate Packer for eXecutables) files. By creating a specially crafted UPX file and sending it to an affected system in an email or over other common protocols, a remote attacker could overflow a buffer and execute arbitrary code on the system when the malicious UPX file is parsed.

Affected Products

Enterprise Products
Norton AntiVirus for Microsoft Exchange 2.18 build 83
Symantec Mail Security for Microsoft Exchange 4.01 build 461
Symantec Mail Security for Microsoft Exchange 4.01 build 459
Symantec Mail Security for Microsoft Exchange 4.01 build 458
Symantec Mail Security for Microsoft Exchange 4.5 build 719
Symantec AntiVirus/Filtering for Domino NT 3.1 prior to build 3.1.1
Symantec Mail Security for Domino 4.0 prior to build 4.0.1
Symantec AntiVirus/Filtering for Domino Ports 3.0
(AIX) build 3.0.5
(OS400, Linux, Solaris) build 3.0.5
Symantec AntiVirus Scan Engine 4.0.X all versions
Symantec AntiVirus Scan Engine 4.3.X prior to build 4.3.3
Symantec AntiVirus Scan Engine for ISA 4.0.X all versions
Symantec AntiVirus Scan Engine for ISA 4.3.x prior to build 4.3.3
Symantec AntiVirus Scan Engine for Netapp Filer 4.0.X All versions
Symantec AntiVirus Scan Engine for Netapp Filer 4.3.X prior to build 4.3.3
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0.X All versions
Symantec AntiVirus Scan Engine for Netapp NetCache 4.3.X prior to build 4.3.3
Symantec AntiVirus Scan Engine for Bluecoat 4.0.X All versions
Symantec AntiVirus Scan Engine for Bluecoat 4.3.X prior to build 4.3.3
Symantec AntiVirus Scan Engine for Filers 4.3.X prior to build 4.3.3
Symantec AntiVirus Scan Engine for Caching 4.3.X prior to build 4.3.3
Symantec AntiVirus for SMTP 3.1.X build 3.1.1
Symantec AntiVirus for SMTP 3.1.X build 3.1.2
Symantec AntiVirus for SMTP 3.1.X build 3.1.3
Symantec AntiVirus for SMTP 3.1.X build 3.1.4
Symantec AntiVirus for SMTP 3.1.X build 3.1.5
Symantec AntiVirus for SMTP 3.1.X build 3.1.6
Symantec Mail Security for SMTP 4.0 prior to build 4.0.2
Symantec Web Security 3.0.1.X build 3.01.59
Symantec Web Security 3.0.1.X build 3.01.60
Symantec Web Security 3.0.1.X build 3.01.61
Symantec Web Security 3.0.1.X build 3.01.62
Symantec Web Security 3.0.1.X build 3.01.63
Symantec Web Security 3.0.1.X build 3.01.67
Symantec Web Security 3.0.1.X build 3.01.68
Symantec BrightMail AntiSpam 4.0 All
Symantec BrightMail AntiSpam 5.5 All
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.314a
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.319
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.323
Symantec AntiVirus Corporate Edition 8.1.1 build 8.1.1.329
Symantec AntiVirus Corporate Edition 8.01 build 8.01.434
Symantec AntiVirus Corporate Edition 8.01 build 8.01.437
Symantec AntiVirus Corporate Edition 8.01 build 8.01.446
Symantec AntiVirus Corporate Edition 8.01 build 8.01.457
Symantec AntiVirus Corporate Edition 8.01 build 8.01.460
Symantec AntiVirus Corporate Edition 8.01 build 8.01.464
Symantec AntiVirus Corporate Edition 8.01 build 8.01.471
Symantec Client Security 1.1.1 MR1 build 8.1.1.314a
Symantec Client Security 1.1.1 MR2 build 8.1.1.319
Symantec Client Security 1.1.1 MR3 build 8.1.1.323
Symantec Client Security 1.1.1 MR4 build 8.1.1.329
Symantec Client Security 1.1.1 MR5 build 8.1.1.336
Symantec Client Security 1.0.1 MR3 build 8.01.434
Symantec Client Security 1.0.1 build 8.01.437
Symantec Client Security 1.0.1 MR4 build 8.01.446
Symantec Client Security 1.0.1 MR5 build 8.01.457
Symantec Client Security 1.0.1 MR6 build 8.01.460
Symantec Client Security 1.0.1 MR7 build 8.01.464
Symantec Client Security 1.0.1 MR8 build 8.01.471
Symantec Gateway Security 2.0, 2.0.1 - 5400 Series
Symantec Gateway Security 1.0 - 5300 Series
Symantec Norton Antivirus 9.0 for Macintosh Corporate Edition
Consumer Products
Symantec Norton Antivirus 2004 for Windows
Symantec Norton Internet Security 2004 (pro) for Windows
Symantec Norton System Works 2004 for Windows
Symantec Norton Antivirus 9.x for Macintosh Only when installed on OSX
Symantec Norton Internet Security 3.x for Macintosh Only when installed on OSX
Symantec Norton System Works 3.x for Macintosh Only when installed on OSX

Impact

System compromise: execution of arbitrary code

Recommended Actions

Updates and Maintenance Releases are available either through Symantec's LiveUpdate for those products that have LiveUpdate capability, or from the Symantec Product Support site at http://www.symantec.com/techsupp.

CVE References

CVE-2005-0249