Re: Microsoft Exchange + Norton AntiVirus leak local information

["Sym Security" <symsecurity () symantec com>]

On Sept 7 2001, Matthias Andree reported the following issue with Norton
AntiVirus for Microsoft Exchange 2000
-------------------------------------------------------------

                                                                                                           
                    Matthias                                                                               
                    Andree                To:     bugtraq () securityfocus com                                
                    <matthias.andr        cc:                                                              
                    ee () gmx de>            Subject:     Microsoft Exchange + Norton AntiVirus leak local    
                                          information                                                      
                    09/07/01 04:46                                                                         
                    AM                                                                                     
                                                                                                           
                                                                                                           




Intro: I usually attach three lines similar to these in my signature:

| Outlook (Express) users: press Ctrl+F3 for the full source code of this
post.
| begin dont_click_this_virus.exe
| end

In the original, I have two spaces after "begin" which tricks broken
Microsoft software (they still haven't grasped MIME!) into thinking it's
a uuencoded attachment.

Note we're not discussing the political correctness of my signature here.

I recently got a message from an Exchange V6.0.4712.0 site running
Norton Antivirus, which revealed information on where the user filtered
its mailing list to:

--------------------------snip---------------



Symantec Security Response Alert
DTD:  12 September 2001

Subject:
Norton AntiVirus for Microsoft Exchange 2000 Information Disclosure
Vulnerability

Affected:
Symantec Norton AntiVirus for Microsoft Exchange 2000

Reference:
BugTraq posting:  Microsoft Exchange + Norton AntiVirus leak local
information, Matthias Andree
http://www.securityfocus.com/archive/1/212724
BugTraq ID # 3305, http://www.securityfocus.com/bid/3305

Overview:
Matthias Andree recently posted a message to the SecurityFocus BugTraq
mailing list concerning a security exposure issue with Norton AntiVirus for
Microsoft Exchange 2000.  Message attachments sent to a Microsoft Exchange
Server protected by NAVMSE 2.x are scanned for malicious content.  If
malicious content is found in the attachment, it is rejected by NAVMSE and
a notification message is returned to the sender notifying them of the
rejection and the reason.  The "returned" notification, rather than
containing only the "destination" address contains the "path" to the
intended recipient's mail INBOX.  This exposed information could
potentially be used in reconnaissance gathering by a malicious individual
to craft future exploit attempts against the system.  Matthias recommends
disabling the notification feature that returns rejected messages to the
sender.

Symantec response:
Symantec considers alerting the sender that they have sent mail containing
a virus an effective way to combat the proliferation of viruses and our
customers tell us that this is a very effective feature. However, we agree
that, although a very low risk exposure, the current default notification
does exposes more information than is necessary under best security
practices.

In current versions of Norton AntiVirus for Microsoft Exchange 2.x, the
system administrator has the capability to customize the notifications that
are sent when a virus is detected.  By default, the Sender, Recipient and
Administrator are notified when an unrepairable virus is detected. The best
immediate "fix" is to customize the content of the notification message
through the "Global Options" on the "Notify" tab.  Variables are set in the
"Global Options" to customize the content of the virus alert notification
messages.  The current default configuration is set to include the mailbox
location of the infected message recipient.  While this is valuable
information for the system administrator, it is an unnecessary exposure of
information to the sender.  The content of the notification message can be
customized to remove the mailbox location from the "Sender" notification as
follows:

1)   Select the Notification tab under "Global Options",
2)   Choose "Sender" from the "To:" dropdown box.
3)   Go to the "Body:" message box.
4)   Remove the line containing the "%2" variable. This variable adds the
intended recipient's mailbox location.
5)   "Save Settings"

If users desire to customize/disable alert notification, that can be
accomplished by taking the following steps:

1) Select the  "Alerts" tab in the NAVMSE GUI under "Auto-Protect", "Manual
Scan", or "Scheduled Scan".
2) Deselect the notification check boxes as desired.

As part of Symantec's continued efforts to strengthen the overall security
of NAVMSE, the next release of Norton AntiVirus for Microsoft Exchange will
default to sending an alert response without the store location
information.

Credit:
Symantec appreciates the support of individuals such as Matthias Andree in
identifying areas of concern so we can quickly address them.  Symantec
would like the opportunity to work with anyone who discovers what they feel
is a security issue with our products.  Please contact Symantec via email
to security () symantec com for security issues.

Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this Security Alert in medium
other than electronically requires permission from security () symantec com.

Disclaimer:
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec Security Response and Norton AntiVirus for Microsoft Exchange are
Registered Trademarks of Symantec Corp. and/or affiliated companies in the
United States and other countries. All other registered and unregistered
trademarks represented in this document are the sole property of their
respective companies/owners.
For security issues, contact security () symantec com.  If desired, a Symantec
PGP Key (SymSecurity) is available from MIT's PGP key server as well as
from Certserver.pgp.com.

Symantec Security Response
security () symantec com
http://securityresponse.symantec.com

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1

iQA/AwUBO59zvhMwEkwA14VxEQJdwQCgtk79H4Xue6D+dqVl/a8V/GnpfXkAnRFM
Su7PVSfh7UPCPRu6jy0Wb61m
=ZGWw
-----END PGP SIGNATURE-----