Multiple sources have identified several security issues in Autonomy's Verity Keyview Content Filter libraries. Symantec has updated the Keyview modules being shipped with Symantec products to address these issues.
Product
|
Version
|
Build
|
Solution(s)
—|—|—|—
Symantec Mail Security for Microsoft Exchange (SMSMSE)
|
6.x
|
All
|
SMSMSE 6.5.6 or SMSMSE 6.0.13 (see mitigation workarounds below to disable content filtering as an interim)
Symantec Mail Security for Domino (SMSDOM)
|
8.x
|
All
|
SMSDOM 8.0.9 (see mitigation workarounds below to disable content filtering as an interim)
Symantec Mail Security for Domino
|
7.5.x
|
All
|
SMSDOM 7.5.12 (see mitigation workarounds below to disable content filtering as an interim)
Symantec Brightmail and Messaging Gateway (SBG/SMG)
|
9.5 and earlier
|
All
|
Symantec Messaging Gateway 9.5.1
Symantec Data Loss Prevention(DLP) Enforce/Detection Servers for Windows
|
10.x and earlier
|
All
|
Symantec DLP 11.1.1 for Windows
Symantec Data Loss Prevention Enforce/Detection Servers for Linux
|
10.x and earlier
|
All
|
Symantec DLP 11.1.1 for Linux
Symantec Data Loss Prevention Endpoint Agents
|
10.x and earlier
|
All
|
Symantec DLP 11.1.1 Agent
Symantec Data Loss Prevention Enforce/Detection Servers for Windows
|
11.x
|
All
|
Symantec DLP 11.1.1 for Windows
Symantec Data Loss Prevention Enforce/Detection Servers for Linux
|
11.x
|
All
|
Symantec DLP 11.1.1 for Linux
Symantec Data Loss Prevention Endpoint Agents
|
11.x
|
All
|
Symantec DLP 11.1.1 Agent
NOTE: Disabling content filtering as described in the mitigation section below does NOT interfere with the primary functionality of Symantec's products, e.g., anti-virus or anti-spam.
Medium to High (based on the CVSS2 scoring below)
High
CVSS V2 9.33 (for SMSME and SMSDOM, running the Autonomy Verity Keyview Filter in-process or out-of-process with application-level privileges.)
Impact: 10 Exploitability 8.588
CVSS V2 Vector AV: N/AC: M/Au: N/C:C/I:C/A:C
Medium
CVSS V2 4.3 (for SBG/SMG and DLP, running the Autonomy Verity Keyview Filter out-of-process with least privileges.)
Impact: 2.862 Exploitability: 8.588
CVSS V2 Vector AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE ID Assigned
|
File Type / KV component
|
Credited To
|
BID
—|—|—|—
CVE-2011-1512
|
Excel Doc/xsslr
|
|
CVE-2011-1213
|
Excel Doc/xsslr
|
|
CVE-2011-1214
|
LZH Archive/lzhsr
|
Binaryhouse.net working through iDefense Labs
|
CVE-2011-1215
|
RTF attach/rtfsr
|
Binaryhouse.net working through iDefense Labs
|
CVE-2011-1216
|
Applix Spreadsheet/assr
|
Binaryhouse.net working through iDefense Labs
|
CVE-2011-1218
|
Zip File Viewer/kvarcve
|
Binaryhouse.net working through iDefense Labs
|
CVE-2011-0337
|
Ichitaro Speed Reader doc/ jtdsr
|
|
CVE-2011-0338
|
Ichitaro Speed Reader doc/jtdsr
|
|
CVE-2011-0339
|
Ichitaro Speed Reader doc/jtdsr
|
|
|
Multiple File Types
|
|
Details
Symantec was notified of multiple security issues to include possible denial of service process crash and potential code execution vulnerabilities identified in several of the file parsing libraries in the Autonomy Verity Keyview Filter shipped with the Symantec products identified above. These vulnerabilities can potentially be targeted during the content filtering process run against maliciously formatted incoming files.
Attempted exploitation results, depending on the product involved in the processing, range from no impact to a crash of the child process with negligible impact, an application crash or, in specific instances, potential elevated privilege application compromise.
Symantec Response
Symantec product engineers worked closely with Autonomy to obtain and provide updates to address all issues.
Symantec Mail Security for Microsoft Exchange runs the Verity Filter as part of the application process. A successful exploitation attempt could potentially result in a denial of service application crash or possibly a privilege compromise in the context of the application.
Symantec Mail Security for Domino runs the Verity Filter out-of-process by default preventing attack attempts from crashing the application. However, the process runs in the context of the application which could potentially allow a possible privileged application compromise from a successful exploit attempt.
Customers running Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino should update to the non-vulnerable versions identified above or disable content filtering by following the mitigation workarounds described below until updates can be obtained and deployed.
In the Symantec BrightMail/Messaging Gateway and Symantec Data Loss Prevention products, the Autonomy Verity KeyView content filtering process has been separated from the Symantec applications (out-of-process) and runs with least privilege. This out-of-process method specifically addresses these types of security concerns.
Any attempt to exploit these issues results in process termination of the offending thread and an error message generated to and handled by the specific application(s). However, non-vulnerable versions of the Verity Filter have been updated and made available to customers. Customers may still disable content filtering through the temporary mitigation workarounds described below until updates can be obtained and deployed.
Symantec knows of no exploitation of or adverse customer impact from these issues.
Update Information
Updates will be available through customers' normal support/download locations.
SMS for Domino and Microsoft Exchange updates will be available through the Platinum Support Web Sitefor Platinum customers or through the FileConnect -Electronic Software Distribution web site.
Symantec DLP updates will be available for download through secure file exchange.
Workaround/Mitigations
Temporary Workaround to disable content filtering in Symantec Mail Security for Microsoft Exchange
Installations of SMS for Microsoft Exchange that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange would be susceptible only if the attachment content scanning option is enabled.
As an interim workaround, administrators may fully disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.
Temporary Workaround to disable content filtering in Symantec Mail Security for Domino
Installations of SMS for Domino that do not utilize the Content Filtering capabilities of the product _are not_susceptible to this issue. SMS for Domino would be susceptible only if the attachment content scanning option is enabled.
As an interim workaround, administrators may disable content filtering rules that contain parameters specifying scanning of attachment content. The rules do not need to be deleted, only disabled until an updated release is installed.
To disable content filtering rules for Symantec Mail Security for Domino
Temporary Workaround to disable content filtering in Symantec Brightmail Gateway or Symantec Messaging Gateway
Risk from these issues are limited on installations of Symantec Brightmail or Symantec Messaging Gateway in which the attachment content scanning option is enabled. However, installations that do not utilize the Content Filtering capabilities of the product are not affected by these issues.
As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.
To disable the content filtering rules for either Symantec Brightmail Gateway or Symantec Messaging Gateway:
Best Practices
As part of normal best practices, Symantec strongly recommends:
Will Dormann and Jared Allar with CERT/CC identified multiple issues in the Autonomy Keyview module. Additional issues in the Autonomy Keyview module were identified by Secunia Research, Binaryhouse.net working through iDefense Labs and Core Technologies.
BID: Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID) to these issues for inclusion in the Security Focus vulnerability database. BIDs have been assigned as indicated below CVE: These issues are a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE IDs as indicated below.