The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding a vulnerability in certain Symantec antivirus products, which can be leveraged by a remote attacker to execute arbitrary code with administrative privileges.The issue stems from the fact that some Symantec products fail to properly handle malformed CAB files, resulting in memory corruption.
The affected products are Symantec Endpoint Protection 11.0 and Symantec Endpoint Protection Small Business Edition 12.0.
These products are impacted because they rely on a legacy decomposer that fails to perform proper bounds check in some specifically formatted files when parsing content to be scanned from the CAB archive.
“Successful targeting of this nature would necessarily require the attacker to be able to get their maliciously formatted archive past established email security policies to be processed on a system. This may lessen the success of any potential attempts of this nature though it does not reduce the severity if successfully executed,” Symantec wrote in its report.
The company has confirmed that the legacy versions of the decomposer engines can cause crashes when handling malformed CAB files, but they haven’t been able to verify remote code execution.
The best way to address this issue is by updating the products to the latest versions, which don’t utilize the decomposer engine in question.
Other mitigation strategies include the disabling of CAB file scanning until a permanent fix is made available and following best practices.
US-CERT recommends the use of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), which could help prevent exploitation, and the enabling of Data Execution Prevention (DEP), although the use of DEP should not be considered a complete workaround.
Symantec is not aware of any attempts to exploit this issue.