The AntiVirus Decomposer engine in Symantec Advanced Threat Protection (ATP); Symantec Data Center Security:Server (SDCS:S) 6.x through 6.6 MP1; Symantec Web Gateway; Symantec Endpoint Protection (SEP) before 12.1 RU6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1 RU6 MP5; Symantec Protection Engine (SPE) before 7.0.5 HF01, 7.5.x before 7.5.3 HF03, 7.5.4 before HF01, and 7.8.0 before HF01; Symantec Protection for SharePoint Servers (SPSS) 6.0.3 through 6.0.5 before 6.0.5 HF 1.5 and 6.0.6 before HF 1.6; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 7.0_3966002 HF1.1 and 7.5.x before 7.5_3966008 VHF1.2; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF1.1 and 8.1.x before 8.1.3 HF1.2; CSAPI before 10.0.4 HF01; Symantec Message Gateway (SMG) before 10.6.1-4; Symantec Message Gateway for Service Providers (SMG-SP) 10.5 before patch 254 and 10.6 before patch 253; Norton AntiVirus, Norton Security, Norton Internet Security, and Norton 360 before NGC 22.7; Norton Security for Mac before 13.0.2; Norton Power Eraser (NPE) before 5.1; and Norton Bootable Removal Tool (NBRT) before 2016.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory access violation) via a crafted RAR file that is mishandled during decompression.

The version of Symantec Protection for SharePoint Servers installed on the remote host is 6.0.3 to 6.0.5 prior to HF1.5 or 6.0.6 prior to HF1.6. It is, therefore, affected by multiple vulnerabilities :

  - An array indexing error exists in the Unpack::ShortLZ()     function within file unpack15.cpp due to improper     validation of input when decompressing RAR files. An     unauthenticated, remote attacker can exploit this, via     a specially crafted file, to corrupt memory, resulting     in a denial of service condition or the execution of     arbitrary code. (CVE-2016-2207)

  - A stack-based buffer overflow condition exists when     handling PowerPoint files due to improper validation of     user-supplied input while handling misaligned stream     caches. An unauthenticated, remote attacker can exploit     this, via a specially crafted PPT file, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2016-2209)

  - A stack-based buffer overflow condition exists in the     CSymLHA::get_header() function within file Dec2LHA.dll     due to improper validation of user-supplied input when     decompressing LZH and LHA archive files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted archive file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-2210)

  - Multiple unspecified flaws exist in libmspack library     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these, via     a specially crafted CAB file, to corrupt memory,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2016-2211)

  - A heap buffer overflow condition exists in the     CMIMEParser::UpdateHeader() function due to improper     validation of user-supplied input when parsing MIME     messages. An unauthenticated, remote attacker can     exploit this, via a specially crafted MIME message, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-3644)

  - An integer overflow condition exists in the     Attachment::setDataFromAttachment() function within file     Dec2TNEF.dll due to improper validation of user-supplied     input when decoding TNEF files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted TNEF file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-3645)

  - An array indexing error exists in the     ALPkOldFormatDecompressor::UnShrink() function within     the scan engine decomposer due to improper validation of     input when decoding ZIP files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted ZIP file, to corrupt memory, resulting in a     denial of service condition or the execution of     arbitrary code. (CVE-2016-3646)

The version of Symantec Protection Engine installed on the remote host is 7.0.x prior to 7.0.5 HF01, 7.5.x prior to 7.5.3 HF03, or 7.8.x prior to 7.8.0 HF01. It is, therefore, affected by multiple vulnerabilities :

  - An array indexing error exists in the Unpack::ShortLZ()     function within file unpack15.cpp due to improper     validation of input when decompressing RAR files. An     unauthenticated, remote attacker can exploit this, via     a specially crafted file, to corrupt memory, resulting     in a denial of service condition or the execution of     arbitrary code. (CVE-2016-2207)

  - A stack-based buffer overflow condition exists when     handling PowerPoint files due to improper validation of     user-supplied input while handling misaligned stream     caches. An unauthenticated, remote attacker can exploit     this, via a specially crafted PPT file, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2016-2209)

  - A stack-based buffer overflow condition exists in the     CSymLHA::get_header() function within file Dec2LHA.dll     due to improper validation of user-supplied input when     decompressing LZH and LHA archive files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted archive file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-2210)

  - Multiple unspecified flaws exist in libmspack library     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these, via     a specially crafted CAB file, to corrupt memory,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2016-2211)

  - A heap buffer overflow condition exists in the     CMIMEParser::UpdateHeader() function due to improper     validation of user-supplied input when parsing MIME     messages. An unauthenticated, remote attacker can     exploit this, via a specially crafted MIME message, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-3644)

  - An integer overflow condition exists in the     Attachment::setDataFromAttachment() function within file     Dec2TNEF.dll due to improper validation of user-supplied     input when decoding TNEF files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted TNEF file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-3645)

  - An array indexing error exists in the     ALPkOldFormatDecompressor::UnShrink() function within     the scan engine decomposer due to improper validation of     input when decoding ZIP files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted ZIP file, to corrupt memory, resulting in a     denial of service condition or the execution of     arbitrary code. (CVE-2016-3646)

According to its self-reported anti-virus definition version number, the remote web server is hosting a version of Symantec Web Gateway with an anti-virus definition version prior to 20160628.037. It is, therefore, affected by multiple vulnerabilities :

  - An array indexing error exists in the UnRAR component in     the Unpack::ShortLZ() function in unpack15.cpp that is     triggered when decompressing RAR files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted RAR file, to corrupt memory, resulting     in the execution of arbitrary code. (CVE-2016-2207)

  - An overflow condition exists when handling PowerPoint     documents due to improper validation of user-supplied     input when handling a misaligned stream-cache. An     unauthenticated, remote attacker can exploit this, via a     specially crafted PPT file, to cause a stack-based     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2016-2209)

  - An overflow condition exists in the     CSymLHA::get_header() function in Dec2LHA.dll that is     triggered when decompressing LZH and LHA archives. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a stack-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-2210)

  - Multiple flaws exist in the libmspack library due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these     issues, via a specially crafted file, to crash processes     linked against the library or execute arbitrary code.
    (CVE-2016-2211)

  - An overflow condition exists in the     CMIMEParser::UpdateHeader() function due to improper     validation of user-supplied input when parsing MIME     messages. An unauthenticated, remote attacker can     exploit this, via a specially crafted MIME message, to     cause a heap-based buffer overflow, resulting in a     denial of service condition or the execution of     arbitrary code. (CVE-2016-3644)

  - An array indexing error exists in the scan engine     decomposer in the LPkOldFormatDecompressor::UnShrink()     function that is triggered when decoding ZIP archives.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted ZIP file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3645)

  - An integer overflow condition exists in the     Attachment::setDataFromAttachment() function in     Dec2TNEF.dll that is triggered when decoding TNEF files.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted TNEF file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3646)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Symantec Mail Security for Exchange or Domino installed on the remote Windows host is affected by multiple vulnerabilities in the decomposer engine :

  - An array indexing error exists in the UnRAR component in     the Unpack::ShortLZ() function in unpack15.cpp that is     triggered when decompressing RAR files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted RAR file, to corrupt memory, resulting     in the execution of arbitrary code. (CVE-2016-2207)

  - An overflow condition exists when handling PowerPoint     documents due to improper validation of user-supplied     input when handling a misaligned stream-cache. An     unauthenticated, remote attacker can exploit this, via a     specially crafted PPT file, to cause a stack-based     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2016-2209)

  - An overflow condition exists in the     CSymLHA::get_header() function in Dec2LHA.dll that is     triggered when decompressing LZH and LHA archives. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a stack-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-2210)

  - Multiple flaws exist in the libmspack library due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these     issues, via a specially crafted file, to crash processes     linked against the library or execute arbitrary code.
    (CVE-2016-2211)

  - An overflow condition exists in the     CMIMEParser::UpdateHeader() function due to improper     validation of user-supplied input when parsing MIME     messages. An unauthenticated, remote attacker can     exploit this, via a specially crafted MIME message, to     cause a heap-based buffer overflow, resulting in a     denial of service condition or the execution of     arbitrary code. (CVE-2016-3644)

  - An array indexing error exists in the scan engine     decomposer in the LPkOldFormatDecompressor::UnShrink()     function that is triggered when decoding ZIP archives.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted ZIP file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3645)

  - An integer overflow condition exists in the     Attachment::setDataFromAttachment() function in     Dec2TNEF.dll that is triggered when decoding TNEF files.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted TNEF file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3646)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Symantec Messaging Gateway (SMG) running on the remote host is 10.x prior to 10.6.1-4. It is, therefore, affected by multiple vulnerabilities :

  - An array indexing error exists in the UnRAR component in     the Unpack::ShortLZ() function in unpack15.cpp that is     triggered when decompressing RAR files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted RAR file, to corrupt memory, resulting     in the execution of arbitrary code. (CVE-2016-2207)

  - An overflow condition exists when handling PowerPoint     documents due to improper validation of user-supplied     input when handling a misaligned stream-cache. An     unauthenticated, remote attacker can exploit this, via a     specially crafted PPT file, to cause a stack-based     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2016-2209)

  - An overflow condition exists in the     CSymLHA::get_header() function in Dec2LHA.dll that is     triggered when decompressing LZH and LHA archives. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a stack-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-2210)

  - Multiple flaws exist in the libmspack library due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these     issues, via a specially crafted file, to crash processes     linked against the library or execute arbitrary code.
    (CVE-2016-2211)

  - An overflow condition exists in the     CMIMEParser::UpdateHeader() function due to improper     validation of user-supplied input when parsing MIME     messages. An unauthenticated, remote attacker can     exploit this, via a specially crafted MIME message, to     cause a heap-based buffer overflow, resulting in a     denial of service condition or the execution of     arbitrary code. (CVE-2016-3644)

  - An array indexing error exists in the scan engine     decomposer in the LPkOldFormatDecompressor::UnShrink()     function that is triggered when decoding ZIP archives.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted ZIP file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3645)

  - An integer overflow condition exists in the     Attachment::setDataFromAttachment() function in     Dec2TNEF.dll that is triggered when decoding TNEF files.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted TNEF file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3646)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Symantec Endpoint Protection Client installed on the remote host is 12.1 prior to 12.1 RU6 MP5. It is, therefore, affected by multiple vulnerabilities :

  - An array indexing error exists in the UnRAR component in     the Unpack::ShortLZ() function in unpack15.cpp that is     triggered when decompressing RAR files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted RAR file, to corrupt memory, resulting     in the execution of arbitrary code. (CVE-2016-2207)

  - An overflow condition exists when handling PowerPoint     documents due to improper validation of user-supplied     input when handling a misaligned stream-cache. An     unauthenticated, remote attacker can exploit this, via a     specially crafted PPT file, to cause a stack-based     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2016-2209)

  - An overflow condition exists in the     CSymLHA::get_header() function in Dec2LHA.dll that is     triggered when decompressing LZH and LHA archives. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a stack-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-2210)

  - Multiple flaws exist in the libmspack library due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these     issues, via a specially crafted file, to crash processes     linked against the library or execute arbitrary code.
    (CVE-2016-2211)

  - An overflow condition exists in the     CMIMEParser::UpdateHeader() function due to improper     validation of user-supplied input when parsing MIME     messages. An unauthenticated, remote attacker can     exploit this, via a specially crafted MIME message, to     cause a heap-based buffer overflow, resulting in a     denial of service condition or the execution of     arbitrary code. (CVE-2016-3644)

  - An array indexing error exists in the scan engine     decomposer in the LPkOldFormatDecompressor::UnShrink()     function that is triggered when decoding ZIP archives.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted ZIP file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3645)

  - An integer overflow condition exists in the     Attachment::setDataFromAttachment() function in     Dec2TNEF.dll that is triggered when decoding TNEF files.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted TNEF file, to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-3646)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
93408	Symantec Protection for SharePoint Servers 6.0.3 to 6.0.5 < HF1.5 / 6.0.6 < HF1.6 Multiple Vulnerabilities (SYM16-010)	Nessus	Windows	high
93345	Symantec Protection Engine 7.0.x < 7.0.5 HF01 / 7.5.x < 7.5.3 HF03 / 7.8.x < 7.8.0 HF01 Multiple Vulnerabilities (SYM16-010) (*nix check)	Nessus	Misc.	high
93344	Symantec Protection Engine 7.0.x < 7.0.5 HF01 / 7.5.x < 7.5.3 HF03 / 7.8.x < 7.8.0 HF01 Multiple Vulnerabilities (SYM16-010)	Nessus	Windows	high
92001	Symantec Web Gateway Anti-Virus Definition < 20160628.037 Multiple Vulnerabilities (SYM16-010) (credentialed check)	Nessus	CGI abuses	high
91915	Symantec Mail Security for Exchange / Domino Decomposer Engine Multiple Vulnerabilities (SYM16-010)	Nessus	Windows	high
91896	Symantec Messaging Gateway 10.x < 10.6.1-4 Multiple Vulnerabilities (SYM16-010)	Nessus	CGI abuses	high
91895	Symantec Endpoint Protection Client 12.1.x < 12.1 RU6 MP5 Multiple Vulnerabilities (SYM16-010)	Nessus	Windows	high

Detections

Analytics

CVE-2016-2207

high

Tenable Plugins

high

high

high

high

high

high

high