TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Autonomy KeyView module is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers. |
| PLATFORM: | Symantec Mail Security for SMTP 5.0 thru 5.0.1, Symantec Mail Security for Microsoft Exchange 6.0.8 thru 6.0.6, Symantec Mail Security for Microsoft Exchange 5.0.12 thru 5.0.10, Symantec Mail Security for Domino 8.0 thru 7.5.3, Symantec Mail Security Appliance 5.0.0 thru 5.0.36, Symantec Data Loss Prevention Endpoint Agents 9.0.1, Symantec Data Loss Prevention Endpoint Agents 8.1.1, Symantec Data Loss Prevention Detection Servers 7.2, Symantec BrightMail Appliance 8.0 thru 8.0.1, Symantec BrightMail Appliance 5.0, IBM Lotus Notes 7.0.1 thru 7.0.3, IBM Lotus Notes 6.5 thru 6.5.6, IBM Lotus Notes 6.0 thru 6.0.5, IBM Lotus Notes 5.0.12 IBM Lotus Notes 5.0.3 IBM Lotus Notes 8.5 IBM Lotus Notes 8.0 IBM Lotus Notes 7.0.2 FP1 IBM Lotus Notes 7.0 IBM Lotus Notes 6.5.6 FP2 IBM Lotus Notes 6.5.5 FP3 IBM Lotus Notes 6.5.5 FP2 IBM Lotus Notes 0 Autonomy Keyview Viewer SDK 7 thru 10.4 Autonomy Keyview Filter SDK 7 thru 10.4 Autonomy Keyview Export SDK 7 thru 10.4 |
| ABSTRACT: | Exploitation allows attackers to execute arbitrary code with the privileges of the targeted application. In order to exploit this vulnerability, an attacker must cause a specially crafted Microsoft Excel Spreadsheet to be processed by an application using the Autonomy KeyView SDK. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-223.shtml |
| OTHER LINKS: |
Security Focus Website http://www.securityfocus.com/bid/36042/discuss IBM Website http://www-01.ibm.com/support/docview.wss?uid=swg21396492 Symantec Website http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090825_00 |
| CVE: |
CVE-2009-3037 |
| IMPACT ASSESSMENT: | This risk is medium. Exploiting this issue will allow an attacker to corrupt memory and cause denial-of-service conditions or potentially to execute arbitrary code in the context of an application using the module. |
[***** Start CVE-2009-3037 *****] Discussion: Autonomy KeyView SDK is a commercial SDK that provides many file format parsing libraries. It supports a large number of different document formats, one of which is the Microsoft Excel 97 (XLS) format. It is used by several popular vendors for processing documents. KeyView is used by many commercial products to handle various types of file formats. Lotus Notes and Symantec Mail Security are two examples of such products. Remote exploitation of an integer overflow vulnerability in Autonomy's KeyView SDK allows attackers to execute arbitrary code with the privileges of the targeted application. The vulnerability occurs when parsing a Shared String Table (SST) record inside of an Excel file. This record is used to hold a table of strings that are used inside of the document. One of the fields in this record is a 32-bit integer that represents the number of strings in the table. This value is used in a calculation that controls the number of bytes to allocate for a dynamic heap buffer. The value is not properly sanitized, which leads to an integer overflow in the calculation. This results in a heap based buffer overflow vulnerability. Exploitation allows attackers to execute arbitrary code with the privileges of the targeted application. In order to exploit this vulnerability, an attacker must cause a specially crafted Microsoft Excel Spreadsheet to be processed by an application using the Autonomy KeyView SDK. When targeting applications like Lotus Notes, this requires that an attacker convince a user to view an e-mail attachment; however, in other cases, processing may take place automatically as a document is examined. The specific circumstances will depend on the application being targeted. The privileges that an attacker gains may be different for each application that uses the KeyView SDK. For example, exploiting this issue via Lotus Notes yields the current user's privileges while exploiting the vulnerability via Symantec Mail Security yields SYSTEM privileges. Workaround: For all products using the KeyView SDK, you can disable the "xlssr.dll" filter by doing one of the following: Removing the xlssr.dll filter module from the affected system(s). Delete or comment out the line referencing "xlssr.dll" from the "KeyView.ini" file distributed with the affected application. Additionally, for Symantec Mail Security, disabling "content filtering" will prevent exploitation. Solution: IBM has released a patch which addresses this issue in Lotus Notes. For more information, consult their advisory at the following URL: http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21396492 Symantec has released a patch which addresses this issue in several Symantec products. For more information, consult their advisory at the following URL: http://www.symantec.com/business/security_response/securityupdates/det ail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20 090825_00 [***** End CVE-2009-3037 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov