HighRealSecure Desktop Protector 3.6, Proventia Network IPS, BlackICE PC Protection, BlackICE Agent for Server, BlackICE Server Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects an attempt to overflow a buffer in Symantec's management process on port 2967.
High
RealSecure Desktop Protector 3.6: eph, RealSecure Desktop: eph, Proventia Network IPS: XPU 1.76, BlackICE PC Protection: 3.6cph, BlackICE Agent for Server: 3.6eph, BlackICE Server Protection: 3.6.cph, RealSecure Server Sensor: XPU 24.37, RealSecure Network: XPU 24.37, Proventia Network IDS: XPU 24.37, Proventia Desktop: 8.0.675.1760, Proventia-G 1.1 and earlier: XPU 24.37, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: XPU 1.76, IBM Security Server Protection for Windows: 1.0.914.1760, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.76
Symantec Client Security: 3.0.2.2010, Symantec Client Security: 3.0.2.2020, Symantec Client Security: 3.0, Symantec Client Security: 3.1, Symantec Client Security: 3.1.394, Symantec Client Security: 3.1.400, Symantec AntiVirus: 10.0 Corporate, Symantec AntiVirus: 10.0.2.2010 Corporate, Symantec AntiVirus: 10.0.2.2020 Corporate, Symantec AntiVirus: 10.0.2.2021 Corporate, Symantec AntiVirus: 10.1 Corporate, Symantec AntiVirus: 10.1.400 Corporate
Unauthorized Access Attempt
Symantec AntiVirus Corporate Edition and Symantec Client Security are vulnerable to a stack-based buffer overflow in the remote management interface. A remote or local attacker could exploit this vulnerability to execute arbitrary code on the system with SYSTEM level privileges or cause the system to crash.
Upgrade to the latest version of Symantec Client Security or Symantec AntiVirus Corporate Edition, as listed in Symantec Security Response Advisory SYM06-010. See References.
FrSIRT/ADV-2006-2005
Symantec AntiVirus and Client Security Remote Buffer Overflow Vulnerability
http://www.frsirt.com/english/advisories/2006/2005
BugTraq Mailing List, Fri May 26 2006 - 19:18:45 CDT
Symantec antivirus software exposes computers
http://archives.neohapsis.com/archives/bugtraq/2006-05/0608.html
Symantec Security Response Advisory SYM06-010
Symantec Client Security and Symantec AntiVirus Elevation of Privilege
http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html
SA20318
Symantec Client Security / AntiVirus Unspecified Code Execution
http://secunia.com/advisories/20318/
eEye Digital Security Advisory AD20060612
Symantec Remote Management Stack Buffer Overflow
http://www.eeye.com/html/research/advisories/AD20060612.html
Full-Disclosure Mailing List, Fri May 26 2006 - 11:40:07 CDT
new symantec vuln
http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0673.html
US-CERT Vulnerability Note VU#404910
Symantec products vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/404910
Internet Security Systems Protection Alert June 2, 2006
Symantec AntiVirus and Client Security buffer overflow
http://xforce.iss.net/xforce/alerts/id/223
ISS X-Force
Symantec AntiVirus and Client Security remote management interface buffer overflow
http://www.iss.net/security_center/static/26706.php
CVE
CVE-2006-2630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630