Symantec Scrambles to Fix Firewall Flaws Users at Risk of Code Execution Attacks Ryan Naraine
Computer security specialist Symantec Thursday moved swiftly to patch four very serious vulnerabilities in its popular Norton firewall products.
An alert from Cupertino, Calif.-based Symantec described the flaws as "high risk" and warned that a successful exploit could wipe out a user's computer. Attackers could also execute remote code with kernel-level privileges on the targeted system.
The vulnerabilities, first discovered by researchers at eEye Digital Security, affect both enterprise and consumer Norton users. Products at risk include Symantec Client Firewall 5.01 and 5.1.1; Symantec Client Security 1.0, 1.1, and 2.0 (SCF 7.1); Norton Internet Security and Professional 2002, 2003, and 2004; Norton Personal Firewall 2002, 2003, and 2004; and Norton AntiSpam 2004.
Independent research firm Secunia rates the flaws as "extremely critical" because they could lead to a destructive worm attack. "The vulnerability is
very similar to the 'ICQ Response Buffer Overflow' vulnerability in various ISS products, which was already exploited by the 'Witty' worm the day after it was disclosed to the public," states Secunia.
Secunia CTO Thomas Kristensen reports the vulnerabilities could be using UDP traffic, which could lead to a scenario of a "fast and violent" attack similar to the Slammer worm that exploited Microsoft SQL servers last year.
"It is important that people patch and upgrade their Symantec Firewall products today as there is no other effective solution against this," Kristensen says.
For Symantec, the discovery of such a serious bug in products designed to provide PC security could be disastrous. The company has used the popularity – and success &mnash; of the Norton AntiVirus brand to gain traction in the enterprise market with VPN and firewall management applications.
Now comes word that Norton firewalls can be exploited no matter how the firewall has been configured. To its credit, Symantec wasted no time in confirming the existence of the holes and rushing out fixes. Patches have already been released through Symantec LiveUpdate and technical support channels.
Clients running consumer versions of the affected products who regularly run a manual Symantec LiveUpdate should be automatically protected against this issue. "However, to be sure they are fully protected, customers should manually run Symantec LiveUpdate to ensure all available updates are installed," the company says.
Enterprise users of Symantec Client Firewall or Symantec Client Security should download and apply patches obtained through their appropriate support
channels. The company reports it is unaware of any active attempts to exploit the flaws.
The flaws include a boundary error within the "SYMDNS.SYS" driver when processing certain NBNS (NetBIOS Name Service) datagrams. This bug can be exploited to cause a stack-based buffer overflow by sending a specially crafted NBNS response to a vulnerable system.
Most of the flaws leave users at risk of scenarios where an attacker could execute malicious code with kernel mode privileges.
