CVE Vulnerabilities


Out-of-bounds Read

Published: Apr 14, 2017 | Modified: Sep 09, 2021
CVSS 3.x
CVSS 2.x

The RAR file parser component in the AntiVirus Decomposer engine in Symantec Advanced Threat Protection: Network (ATP); Symantec Email Security.Cloud; Symantec Data Center Security: Server; Symantec Endpoint Protection (SEP) for Windows before 12.1.6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1.6 MP6; Symantec Endpoint Protection for Small Business Enterprise (SEP SBE/SEP.Cloud); Symantec Endpoint Protection Cloud (SEPC) for Windows/Mac; Symantec Endpoint Protection Small Business Edition 12.1; CSAPI before 10.0.4 HF02; Symantec Protection Engine (SPE) before 7.0.5 HF02, 7.5.x before 7.5.4 HF02, 7.5.5 before 7.5.5 HF01, and 7.8.x before 7.8.0 HF03; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF2.1, 8.1.x before 8.1.2 HF2.3, and 8.1.3 before 8.1.3 HF2.2; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 6.5.8_3968140 HF2.3, 7.x before 7.0_3966002 HF2.1, and 7.5.x before 7.5_3966008 VHF2.2; Symantec Protection for SharePoint Servers (SPSS) before SPSS_6.0.3_To_6.0.5_HF_2.5 update, 6.0.6 before 6.0.6 HF_2.6, and 6.0.7 before 6.0.7_HF_2.7; Symantec Messaging Gateway (SMG) before 10.6.2; Symantec Messaging Gateway for Service Providers (SMG-SP) before 10.5 patch 260 and 10.6 before patch 259; Symantec Web Gateway; and Symantec Web Security.Cloud allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted RAR file that is mishandled during decompression.


The product reads data past the end, or before the beginning, of the intended buffer.

Affected Software

Name Vendor Start Version End Version
Protection_engine Symantec * 7.0.5
Protection_for_sharepoint_servers Symantec 6.0.5 6.0.5
Mail_security_for_microsoft_exchange Symantec * 6.5.8
Messaging_gateway Symantec * 10.6.1
Mail_security_for_domino Symantec * 8.0.9
Endpoint_protection Symantec * 12.1.4
Mail_security_for_domino Symantec 8.1.3 8.1.3
Endpoint_protection_for_small_business Symantec * 12.1
Mail_security_for_microsoft_exchange Symantec 7.0.3 7.0.3 Symantec - -
Messaging_gateway_for_service_providers Symantec 10.6 10.6
Protection_for_sharepoint_servers Symantec 6.0.3 6.0.3
Mail_security_for_microsoft_exchange Symantec 7.0.4 7.0.4
Endpoint_protection Symantec * 12.1.6
Protection_engine Symantec 7.5.0 7.5.0
Mail_security_for_microsoft_exchange Symantec 7.5.2 7.5.2
Mail_security_for_microsoft_exchange Symantec 7.5.1 7.5.1
Protection_for_sharepoint_servers Symantec 6.0.7 6.0.7
Messaging_gateway_for_service_providers Symantec 10.5 10.5
Advanced_threat_protection Symantec - -
Mail_security_for_domino Symantec 8.1.2 8.1.2
Protection_for_sharepoint_servers Symantec 6.0.4 6.0.4
Protection_engine Symantec 7.5.1 7.5.1 Symantec - -
Mail_security_for_microsoft_exchange Symantec 7.0 7.0
Protection_engine Symantec 7.5.4 7.5.4
Endpoint_protection_cloud Symantec - -
Mail_security_for_microsoft_exchange Symantec 7.5 7.5
Mail_security_for_microsoft_exchange Symantec 7.5.3 7.5.3
Csapi Symantec * 10.0.4
Endpoint_protection_for_small_business Symantec - -
Endpoint_protection Symantec * 12.1.6
Protection_for_sharepoint_servers Symantec 6.0.6 6.0.6
Endpoint_protection_cloud Symantec - -
Protection_engine Symantec 7.8.0 7.8.0
Protection_engine Symantec 7.5.3 7.5.3
Protection_engine Symantec 7.5.2 7.5.2
Mail_security_for_microsoft_exchange Symantec 7.5.4 7.5.4
Web_gateway Symantec - -
Mail_security_for_microsoft_exchange Symantec 7.0.2 7.0.2
Protection_engine Symantec 7.5.5 7.5.5
Mail_security_for_microsoft_exchange Symantec 7.0.1 7.0.1
Symantec_data_center_security_server Broadcom - -

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.