Attackers could exploit a flaw in Symantec AntiVirus Corporate Edition and Client Security to overwrite kernel addresses, crash machines and run malicious code with elevated user privileges, the vendor warned in an advisory Monday. A fix is available.
Vulnerability researcher Boon Seng Lim notified Symantec of the flaw, which resides in the SAVRT.SYS component of the program. An attacker could use the output buffer of the DeviceIOControl() function to overwrite kernel addresses because the address space of the output buffer was not properly validated, Symantec said, adding, "A successful exploit could potentially allow a local attacker to execute code of their choice with elevated privileges, or to crash the system."
Symantec said the flaw could be exploited under the following scenarios:
- An attacker acquires local interactive access to a computer running the affected application.
- The attacker creates an exploit that interacts with SAVRT.SYS in a manner that triggers this issue. The attacker executes the exploit application.
- The application improperly validates the data. As a result, memory is overwritten with attacker-supplied data.
The flaw affects Symantec AntiVirus Corporate Edition 8.1, 9.0.3 and earlier versions; and Symantec Client Security 1.1, 2.0.3 and earlier.
The Cupertino, Calif.-based antivirus giant said its engineers verified the problem and released updates to address the affected products.
"Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue," the company added.
As a part of normal best practices, Symantec recommends that users keep all application software and operating systems up-to-date with the latest vendor supplied patches.