[ga] This Forum virus hits form one subscriber - Causes...

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

All former DNSO GA members or other interested stakeholders/users,

  Lately or recently this forum has been hit by Leah's Email address
containing viruses.  The cause seems to be from the following,
given Leah's several self proclaimed use of Norton.
See ( fixes now avalible, below.  Note: switch to some other
vendors virus ware Leah )

======================

 HIGH: Symantec Firewall Products Multiple Vulnerabilities
Affected:
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2002
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
Symantec Norton AntiSpam 2004

Description: Symantec firewall products, used by both enterprises and
home users, contain the following vulnerabilities in the "SYMDNS.SYS"
module. This module validates the DNS and NetBIOS name service 
responses before allowing them to pass through the firewall.

(1) The module contains a stack-based buffer overflow that can be
triggered by a DNS response with an overlong "CNAME" field. The 
overflow can be exploited to execute arbitrary code with the 
"KERNEL" privileges.

Note that the firewall processes all DNS response packets i.e. any UDP
packet with source port 53. Hence, the flaw lends itself to easy
exploitation via spoofed UDP packets.

(2) The module contains another stack-based buffer overflow that can be
triggered by a specially crafted NetBIOS response with an overlong
NetBIOS name. The overflow can be exploited to execute arbitrary code
with the "KERNEL" privileges. Note that if the client allows Windows
file sharing, the NetBIOS name service port 137/udp is open.

(3) The module contains a heap-based buffer overflow that can be
triggered by a crafted NetBIOS response. The problem arises when the
NetBIOS response does not contain the "Type", "Class", "Time-to-Live"
and "Data Length" fields in a "Resource Record". The heap-based 
overflow can be leveraged to execute arbitrary code with "KERNEL" 
privileges, but is believed to be difficult to exploit reliably.

(4) The module contains a denial-of-service vulnerability. The problem
arises because a malicious domain name, constructed by using the DNS
"compressed name pointer", can cause the decoding routine to enter an
"infinite" loop. A hard reboot is required to restore the system to
normalcy. The technical details required to exploit all the
vulnerabilities have been posted.

Status: Symantec has confirmed the flaws; updates available. Clients 
are advised to use the "LiveUpdate" feature to get the latest fixes.

Council Site Actions:  Three of the reporting council sites are using
the affected product.  One site has already patched their systems via
the LiveUpdate Feature.  Another site has only notified their sysadmins
and has not yet planned how to remediate. They are expecting a major
effort since they were hit hard by the recent BlackIce attack.  The
third site has a large number of Symantec users; however they do not
officially support the software and do not plan any action at this time.

They said that if there is an exploit released in the wild, they will
inform the end users who have signed up for general security
notifications.

References:
eEye Advisories
http://www.eeye.com/html/Research/Advisories/AD20040512D.html (DNS
Overflow)
http://www.eeye.com/html/Research/Advisories/AD20040512A.html (NetBIOS
Stack Overflow)
http://www.eeye.com/html/Research/Advisories/AD20040512C.html (NetBIOS
Heap Overflow)
http://www.eeye.com/html/Research/Advisories/AD20040512B.html (DNS DoS)
Symantec Advisory
http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html

DNS DoS Exploit
http://archives.neohapsis.com/archives/bugtraq/2004-05/0131.html
SecurityFocus BID
http://www.securityfocus.com/bid/10333
http://www.securityfocus.com/bid/10334
http://www.securityfocus.com/bid/10335
http://www.securityfocus.com/bid/10336
****************************************************************

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Be precise in the use of words and expect precision from others" -
    Pierre Abelard

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827