Flaws in multiple Symantec products fixed

Symantec has released a hotfix addressing a DNS cache poisoning-redirection threat the SANS Internet Storm Center brought to light.

Symantec recommends users apply a hotfix it released Tuesday to address a high-risk vulnerability in its Gateway Security, Enterprise Firewall and VelociRaptor products. Attackers could use the flaw for DNS cache poisoning and to redirect users to Web sites that can nail their computers with spyware and other malcode.

"Affected Symantec security

Read more on DNS

Symantec fixes DNS cache poisoning flaw

Security Bytes: Turning servers into 'malcode pushers'

gateway products configured as a DNS caching server or as a primary DNS server were experiencing problems with name resolution whereby host name lookups to common sites were resolving to bogus addresses," the Cupertino, Calif.-based antivirus giant said in its advisory. "In-depth analysis of this incident and the stance of Symantec's security gateway products provided details that allowed Symantec to harden DNSd even further against unknown attack vectors for this class of attack."

The issue affects:

  • Gateway Security 5300 Series 1.0
  • Gateway Security 5400 Series 2.0
  • Enterprise Firewall 7.0 for Windows and Solaris
  • Enterprise Firewall 8.0 for Windows and Solaris
  • VelociRaptor, Model 1100/1200/1300 version 1.5

DNS cache poisoning can happen when inaccurate DNS records are dropped into a DNS server's cache tables, overwriting a valid name server record with its own DNS server address. As Symantec noted, "Subsequent queries for a targeted site would then be redirected to the rogue DNS server, which would respond with its own addresses for those lookups, preventing users from accessing the legitimate site."

The Bethesda, Md.-based SANS Internet Storm Center (ISC) brought the problem to light in a March 4 handler's diary, which indicated users were being redirected to Web sites that would try to download spyware and adware modules to the user's browsers.

"Shortly after the abnormal activity was initially reported, the offending IP addresses were blocked by their ISP until the offending DNS servers' configuration was corrected," Symantec said in its advisory. Symantec also noted the ISC's assessment that "other non-Symantec product users" reported similar activity "so this malicious action appears not to have been limited to Symantec security gateway products."

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close