Article

Flaws in multiple Symantec products fixed

Bill Brenner, News Writer

Symantec recommends users apply a hotfix it released Tuesday to address a high-risk vulnerability in its Gateway Security, Enterprise Firewall and VelociRaptor products. Attackers could use the flaw for DNS

    Requires Free Membership to View

cache poisoning and to redirect users to Web sites that can nail their computers with spyware and other malcode.

"Affected Symantec security

Read more on DNS

Symantec fixes DNS cache poisoning flaw

Security Bytes: Turning servers into 'malcode pushers'

gateway products configured as a DNS caching server or as a primary DNS server were experiencing problems with name resolution whereby host name lookups to common sites were resolving to bogus addresses," the Cupertino, Calif.-based antivirus giant said in its advisory. "In-depth analysis of this incident and the stance of Symantec's security gateway products provided details that allowed Symantec to harden DNSd even further against unknown attack vectors for this class of attack."

The issue affects:

  • Gateway Security 5300 Series 1.0
  • Gateway Security 5400 Series 2.0
  • Enterprise Firewall 7.0 for Windows and Solaris
  • Enterprise Firewall 8.0 for Windows and Solaris
  • VelociRaptor, Model 1100/1200/1300 version 1.5

DNS cache poisoning can happen when inaccurate DNS records are dropped into a DNS server's cache tables, overwriting a valid name server record with its own DNS server address. As Symantec noted, "Subsequent queries for a targeted site would then be redirected to the rogue DNS server, which would respond with its own addresses for those lookups, preventing users from accessing the legitimate site."

The Bethesda, Md.-based SANS Internet Storm Center (ISC) brought the problem to light in a March 4 handler's diary, which indicated users were being redirected to Web sites that would try to download spyware and adware modules to the user's browsers.

"Shortly after the abnormal activity was initially reported, the offending IP addresses were blocked by their ISP until the offending DNS servers' configuration was corrected," Symantec said in its advisory. Symantec also noted the ISC's assessment that "other non-Symantec product users" reported similar activity "so this malicious action appears not to have been limited to Symantec security gateway products."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: