CVE Vulnerabilities

CVE-2016-5309

Out-of-bounds Read

Published: Apr 14, 2017 | Modified: Sep 09, 2021
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

The RAR file parser component in the AntiVirus Decomposer engine in Symantec Advanced Threat Protection: Network (ATP); Symantec Email Security.Cloud; Symantec Data Center Security: Server; Symantec Endpoint Protection (SEP) for Windows before 12.1.6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1.6 MP6; Symantec Endpoint Protection for Small Business Enterprise (SEP SBE/SEP.Cloud); Symantec Endpoint Protection Cloud (SEPC) for Windows/Mac; Symantec Endpoint Protection Small Business Edition 12.1; CSAPI before 10.0.4 HF02; Symantec Protection Engine (SPE) before 7.0.5 HF02, 7.5.x before 7.5.4 HF02, 7.5.5 before 7.5.5 HF01, and 7.8.x before 7.8.0 HF03; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF2.1, 8.1.x before 8.1.2 HF2.3, and 8.1.3 before 8.1.3 HF2.2; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 6.5.8_3968140 HF2.3, 7.x before 7.0_3966002 HF2.1, and 7.5.x before 7.5_3966008 VHF2.2; Symantec Protection for SharePoint Servers (SPSS) before SPSS_6.0.3_To_6.0.5_HF_2.5 update, 6.0.6 before 6.0.6 HF_2.6, and 6.0.7 before 6.0.7_HF_2.7; Symantec Messaging Gateway (SMG) before 10.6.2; Symantec Messaging Gateway for Service Providers (SMG-SP) before 10.5 patch 260 and 10.6 before patch 259; Symantec Web Gateway; and Symantec Web Security.Cloud allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted RAR file that is mishandled during decompression.

Weakness

The software reads data past the end, or before the beginning, of the intended buffer.

Affected Software

Name Vendor Start Version End Version
Symantec_data_center_security_server Broadcom - -
Advanced_threat_protection Symantec - -
Csapi Symantec * 10.0.4
Email_security.cloud Symantec - -
Endpoint_protection Symantec * 12.1.4
Endpoint_protection Symantec * 12.1.6
Endpoint_protection Symantec * 12.1.6
Endpoint_protection_cloud Symantec - -
Endpoint_protection_cloud Symantec - -
Endpoint_protection_for_small_business Symantec - -
Endpoint_protection_for_small_business Symantec * 12.1
Mail_security_for_domino Symantec * 8.0.9
Mail_security_for_domino Symantec 8.1.2 8.1.2
Mail_security_for_domino Symantec 8.1.3 8.1.3
Mail_security_for_microsoft_exchange Symantec * 6.5.8
Mail_security_for_microsoft_exchange Symantec 7.0 7.0
Mail_security_for_microsoft_exchange Symantec 7.0.1 7.0.1
Mail_security_for_microsoft_exchange Symantec 7.0.2 7.0.2
Mail_security_for_microsoft_exchange Symantec 7.0.3 7.0.3
Mail_security_for_microsoft_exchange Symantec 7.0.4 7.0.4
Mail_security_for_microsoft_exchange Symantec 7.5 7.5
Mail_security_for_microsoft_exchange Symantec 7.5.1 7.5.1
Mail_security_for_microsoft_exchange Symantec 7.5.2 7.5.2
Mail_security_for_microsoft_exchange Symantec 7.5.3 7.5.3
Mail_security_for_microsoft_exchange Symantec 7.5.4 7.5.4
Messaging_gateway Symantec * 10.6.1
Messaging_gateway_for_service_providers Symantec 10.5 10.5
Messaging_gateway_for_service_providers Symantec 10.6 10.6
Protection_engine Symantec * 7.0.5
Protection_engine Symantec 7.5.0 7.5.0
Protection_engine Symantec 7.5.1 7.5.1
Protection_engine Symantec 7.5.2 7.5.2
Protection_engine Symantec 7.5.3 7.5.3
Protection_engine Symantec 7.5.4 7.5.4
Protection_engine Symantec 7.5.5 7.5.5
Protection_engine Symantec 7.8.0 7.8.0
Protection_for_sharepoint_servers Symantec 6.0.3 6.0.3
Protection_for_sharepoint_servers Symantec 6.0.4 6.0.4
Protection_for_sharepoint_servers Symantec 6.0.5 6.0.5
Protection_for_sharepoint_servers Symantec 6.0.6 6.0.6
Protection_for_sharepoint_servers Symantec 6.0.7 6.0.7
Web_gateway Symantec - -
Web_security.cloud Symantec - -

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.

References