There is a vulnerability in certain Symantec antivirus products than a remote attacker could leverage to execute arbitrary code with administrative privileges, according to a report from US-CERT.
Some Symantec products fail to properly handle malformed CAB files, resulting in memory corruption. The affected products are Symantec Endpoint Protection 11.0 and Symantec Endpoint Protection Small Business Edition 12.0.
These products rely on a legacy decomposer that fails to perform proper bounds check in some specifically formatted files when parsing content to undergo scanning from the CAB archive, the report said.
“Successful targeting of this nature would necessarily require the attacker to be able to get their maliciously formatted archive past established email security policies to be processed on a system. This may lessen the success of any potential attempts of this nature though it does not reduce the severity if successfully executed,” Symantec wrote in its report.
The company confirmed the legacy versions of the decomposer engines can cause crashes when handling malformed CAB files, but they haven’t been able to verify remote code execution.
The best way to address this issue is by updating the products to the latest versions, which don’t utilize the decomposer engine in question.
Other mitigation strategies include the disabling of CAB file scanning until a permanent fix is available.