Norton Anti-Virus Quarantine Server Can Be Crashed By Remote Users
SecurityTracker Alert ID: 1007371|
SecurityTracker URL: http://securitytracker.com/id/1007371
(Links to External Site)
Date: Aug 2 2003
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Corporate Edition, version 7.61|
A vulnerability was reported in Norton Anti-virus in the Symantec Quarantine Server component. A remote user can cause denial of service conditions on the target server.|
It is reported that a remote user can connect to the appropriate TCP listener port on the Symantec Quarantine Server and then terminate the connection before sending any data to cause 'qserver.exe' to consume all available CPU resources on the target server.
The specific TCP listening port is configured by the administrator, according to the report.
The Quarantine service must be restarted to return to normal operations.
The vendor credits the Qualys Security Research Team with reporting this flaw.
A remote user can cause the target server to consume all available CPU resources.|
The vendor has released a fixed version (Quarantine Server 18.104.22.168) for users of NAV 7.61.|
The vendor indicates that you should download the fix and then:
- Uninstall the existing version of Quarantine Server (Quarantine Console is reportedly not affected and does not need to be uninstalled)
- Reboot the system.
- Run QSERVER\setup.exe to install the new version of Quarantine Server
- Reboot the system.
- Re-configure the Quarantine Server.
If you are using a version of Quarantine server prior to 2.6 (such as that shipped with NAV 7.5x), the vendor indicates that you should upgrade to a new build.
Vendor URL: securityresponse.symantec.com/avcenter/security/Content/2003.07.29.html (Links to External Site)
Exception handling error|
Source Message Contents
Date: Sat, 02 Aug 2003 01:02:16 -0400|
July 28, 2003
Denial of Service Vulnerability in Symantec Quarantine Server
Medium to High
Symantec Central Quarantine Server (qserver.exe) consumes 100% of the CPU when a remote
user connects to the user configurable TCP listener port and abnormally terminates the
Norton AntiVirus Corporate Edition version 7.61
Symantec Anti Virus Corporate Edition version 8.01
Symantec Anti Virus Corporate Edition version 8.1
A user with access to the internal corporate network can cause 100% CPU usage by the
Symantec Central Quarantine Server. This occurs when a user connects to the Symantec
Central Quarantine Server (qserver.exe) on the user configurable TCP listening port and
abnormally terminated the connection prior to sending data. This can cause the Symantec
Quarantine Server service to consume 100% CPU utilization on the affected server. To
regain normal functionality, the Quarantine service must be restarted.
Mitigating the risk - The risk from this vulnerability is greatly reduced if operating
with a perimeter firewall that blocks telnet connections to the internal network as a part
of normal security best practices. With this configuration, the vulnerable version of
Symantec Central Quarantine Server is only accessible by an authorized user on the
internal network and is not exploitable by outside sources.
Customers will need to download the appropriate version of Quarantine server and perform
the following steps:
1. Uninstall the existing version of Quarantine Server. Quarantine Console is not
affected -- it is not necessary to uninstall Quarantine Console.
3. Download and extract the appropriate version of Quarantine Server depending on your
version of SAV:
* If you are using NAV 7.61, install Quarantine Server 2.6
* If you are using SAV 8.01, install Quarantine Server 3.11
* If you are using SAV 8.1, install Quarantine Server 3.2
4. Run QSERVER\setup.exe to install the new version of Quarantine Server
6. It will be necessary to re-configure Quarantine Server after reinstallation.
For reference, after installation the new file versions for qserver.exe will be:
* For QServer 2.6 -> 22.214.171.124
* For QServer 3.11 -> 126.96.36.199
* For QServer 3.2 -> 188.8.131.52
Note: Customers using Quarantine server shipped prior to 2.6 (shipped with NAV 7.5x, for
example) are urged to upgrade to one of these new builds to address the issue.
The discovery and documentation of this vulnerability was conducted by the Qualys Security
Research Team. Symantec Corporation would like to thank Qualys Security Research Team for
identifying and working with us to resolve this issue.
For more information about the Qualys Security Research Team, visit their website at
http://www.qualys.com or send email to firstname.lastname@example.org
Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not
edited in any way unless authorized by Symantec Security Response. Reprinting the whole or
part of this alert in any medium other than electronically requires permission from
The information in the advisory is believed to be accurate at the time of publishing based
on currently available information. Use of the information constitutes acceptance for use
in an AS IS condition. There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered
trademarks of Symantec Corp. and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks represented in this document
are the sole property of their respective companies/owners.
Last modified on: Thursday, 31-Jul-03 16:20:26