Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2007 > Symantec Security Advisory - SYMTDI.SYS Device Driver Local Elevation of Privilege

July 2007

Symantec Security Advisory - SYMTDI.SYS Device Driver Local Elevation of Privilege

ID: 162
Ref: 107/2007
Date: 12 July 2007:10:31:57
Version: 1
Title: Symantec Security Advisory - SYMTDI.SYS Device Driver Local Elevation of Privilege
Abstract: Some versions of Symantec’s device driver SYMTDI.SYS contain a vulnerability which, if successfully exploited, could allow a local attacker to execute arbitrary code with system level privileges.
Vendors affected: Symantec
Applications affected: Symantec
SYM07-018
July 11, 2007
Symantec SYMTDI.SYS Device Driver Local Elevation of Privilege

http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11d.html

Revision History
None

Risk Impact
Medium

Remote Access No
Local Access Yes
Authentication Required Yes, to the local system
Exploit publicly available No

Overview
Some versions of Symantec’s device driver SYMTDI.SYS contain a vulnerability
which, if successfully exploited, could allow a local attacker to execute
arbitrary code with system level privileges.

Affected Products
Product Version Solution
Norton AntiSpam 2005 Run LiveUpdate in Interactive Mode
Norton AntiVirus 2005, 2006 Run LiveUpdate in Interactive Mode
Norton Internet Security 2005, 2006 Run LiveUpdate in Interactive Mode
Norton Personal Firewall 2005, 2006 Run LiveUpdate in Interactive Mode
Norton System Works 2005, 2006 Run LiveUpdate in Interactive Mode
Symantec AntiVirus Corporate Edition 9.x SAV 9 MR6 MP1
Symantec AntiVirus Corporate Edition 10.0 SAV 10.1 MR6 10.1
Symantec Client Security 2.0 SCS 2.0 MR6 MP1
Symantec Client Security 3.0 SCS 3.1 MR6
Symantec Client Security 3.1 SCS 3.1 MR6

NOTE: All builds of Symantec AntiVirus Corporate Edition (SAV CE) 9.x, 10.0,
and 10.1 prior to the solution listed are affected by this issue. All builds
of Symantec Client Security (SCS) prior to the solution listed are affected by
this issue.

Unaffected Products
Product Version Build/b>
Norton 360 All all
Norton AntiVirus 2007 all
Norton Confidential all all
Norton Internet Security 2007 all
Symantec AntiVirus Corporate Edition 10.2 all
Symantec AntiVirus for Linux 1.x all


Details
iDefense notified Symantec about an input validation error in the IOCTL
handler function of the device driver SYMTDI.SYS. A specially crafted IRP sent
to an IOCTL handler function could allow memory to be overwritten because the
address space was not properly validated in some versions of the driver. A
successful exploit of this vulnerability could potentially allow an attacker
to execute code of their choice with kernel level privileges. The attack,
which requires authenticated local access, could also result in a blue screen
(system crash).

Symantec response
Symantec engineers have verified that the issue exists in all versions of
SYMTDI.SYS prior to version 7.0.0. Updates have been provided for all
supported affected products

Symantec is not aware of any customers impacted by this issue, or of any
attempts to exploit the issue.

As a part of normal best practices, users should keep vendor-supplied patches
for all application software and operating systems up-to-date. Symantec
strongly recommends any affected customers update their product immediately to
protect against possible future attempts to exploit this vulnerability.

Updating Consumer (Norton) products
Symantec Norton product users who regularly launch and run LiveUpdate should
already have received an updated (non-vulnerable) version of SYMTDI.SYS.
However, to ensure all available updates have been applied, users can manually
launch and run LiveUpdate in Interactive mode as follows:

Open any installed Norton product
Click on LiveUpdate in the GUI
Run LiveUpdate until all available product updates are downloaded and installed
A system reboot is required for this update

Best Practices
Symantec recommends any affected customers update their product to protect
against potential attempts to exploit this issue. As part of normal best
practices, Symantec recommends the following:

Do not open email from unknown senders.
Run under the principle of least privilege to limit the impact of exploits.
Keep all operating systems and applications updated with the latest vendor
patches.
Follow a multi-layered approach to security. Run both firewall and antivirus
software to provide multiple points of detection and protection from inbound
and outbound threats.
Use network intrusion detection systems to monitor network traffic for signs
of anomalous activity. This may aid in detection of attacks related to
exploitation of vulnerabilities.

Credit
Symantec would like to acknowledge Zohiartze Herce, working with the iDefense
Vulnerability Contributor Program (http://www.idefense.com), for reporting
this issue.

References
This issue is a candidate for inclusion in the Common Vulnerabilities and
Exposures (CVE) list (http://cve.mitre.org),which standardizes names for
security problems. CVE has assigned CVE-2007-3673 to this issue.

SecurityFocus has assigned Bugtraq ID (BID) 22351 to this issue.

-------------------------------------------------------------------------------

Symantec takes the security and proper functionality of its products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec follows the principles of responsible disclosure.
Symantec also subscribes to the vulnerability guidelines outlined by the
National Infrastructure Advisory Council (NIAC). Please contact
secure@symantec.com if you feel you have discovered a potential or actual
security issue with a Symantec product. A Symantec Product Security team
member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document
outlining the process we follow in addressing suspected vulnerabilities in our
products. We support responsible disclosure of all vulnerability information
in a timely manner to protect Symantec customers and the security of the
Internet as a result of vulnerability. This document is available from the
location provided below.

Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can
be obtained from the location provided below.

-------------------------------------------------------------------------------

Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Security Response.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.


Initial Post on: Wednesday, 11-Jul-07 7:00:00
Last modified on: Wednesday, 11-Jul-07 14:48:06
___________________________________________________________________________

CPNI wishes to acknowledge the contributions of Symantec
for the information contained in this advisory.
___________________________________________________________________________

This advisory contains information released by the original author. Some of
the information may have changed since it was released. If the issue affects
you, it may be prudent to retrieve the advisory from the site of the original
source to ensure that you receive the most current
information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by CPNI. The views and opinions of
authors expressed within this notice shall not be used for advertising or
product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for
any loss or damage whatsoever, arising from or in connection with the usage of
information contained within this advisory.

CPNI is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
___________________________________________________________________________

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |