Title: Symantec Norton Antivirus LiveUpdate Host Verification Vulnerability
Severity: HIGH
Description:
Symantec's Norton Antivirus contains a feature called LiveUpdate. LiveUpdate is a process that checks for new virus definitions over the internet, downloads and installs them from a Symantec site. This process can either be scheduled or performed manually.
A design flaw exists in Symantec's implementation of Norton Antivirus LiveUpdate. Symantec fails to use Cryptography (Digital Signatures, Public Keys or Certificates) when performing LiveUpdates on a user's system.
Due to Norton Antivirus' failure to verify the host in which LiveUpdates are being sent, it is possible for a remote host to send illicit LiveUpdates to an unknowing user.
This is achievable if a remote user redirected the LiveUpdate connection (update.symantec.com) to a server of his choice. This can be accomplished by DNS poisoning, DNS impersonation etc. Upon the connection being redirected the illegitimate server may proceed to send the target arbitrary files to download, without Norton Antivirus verifying the validity of the host.
Exploitation of this vulnerability is possible regardless whether scheduled LiveUpdates are set or LiveUpdates are invoked manually.
Successful exploitation of this vulnerability could enable a remote attacker to take various actions on the target host. In the worst case scenario, this issue could lead to a complete compromise of the target system.
Affected Products:
- Symantec LiveUpdate 1.4.0
- Symantec LiveUpdate 1.5.0
- Symantec Norton AntiVirus 2001
- Symantec Norton AntiVirus 5.0.0
References:
- Phenoelit Group: Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815>
- Symantec: Symantec LiveUpdate 1.4 through 1.6 vulnerability
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
