We have received new information from Symantec regarding the
vulnerability in the Symantec Anti-virus/Client Security software.
Please review this information and visit http://kb.berkeley.edu/kb656
for the latest information on this vulnerability.
Main points:
1) Symantec has confirmed for us that unmanaged clients are safe from
remote exploitation of this vulnerability
2) Managed Symantec Client Security clients will get protection through
IPS signature updates via LiveUpdate
3) Managed AV-only clients can get protection by blocking or limiting
access to port 2967
4) SNS has been scanning the network to detect vulnerable clients and
will notify security contacts of these clients. IDS signatures are also
in place to detect attacks crossing the campus border.
5) We still recommend that all clients install the appropriate patches
however if the above measures mitigate the threat, this is not an urgent
issue and patches/upgrades can be applied at your earliest convenience.
Additional details:
In order for this vulnerability to be remotely exploited over the
network, the anti-virus software must be listening on an open port. When
the Symantec Anti-Virus software is run in "managed" mode, the
rtvscan.exe process listens on port 2967 and is vulnerable. The
"unmanaged" anti-virus software does not have any listeners and
therefore is safe from a remote exploit over the network. For
instructions on checking to see if your anti-virus software is
"managed", please see https://kb.berkeley.edu/jivekb/entry.jspa?entryID=665
If you are running the full Symantec Client Security suite in "managed"
mode, you can get some protection by ensuring that your clients have the
latest IPS signatures (part of the Symantec Firewall component) through
LiveUpdate. IPS signature files received after 5/26 will detect and
block attempts to exploit the vulnerability in the anti-virus software
-- you can also confirm whether or not you have received the signature:
http://kb.berkeley.edu/kb715. You may also wish to create firewall rules
to limit access to port 2967 to your management servers.
If you are running the Symantec AV software only in "managed" mode, you
can protect against remote exploitation by blocking (or limiting to
management servers) access to port 2967 using your current firewall
(host-based and/or network) solution.
We hope that this information will ease some concern and allow for a
smoother update/upgrade path. Please contact us if you have any
additional questions regarding the impact of this vulnerability.
-- Allison Henry System and Network Security University of California, Berkeley http://security.berkeley.edu ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.Received on Wed Jun 7 12:23:04 2006
This archive was generated by hypermail 2.1.8 : Wed Jun 07 2006 - 12:23:06 PDT