Vulnerability discovered by Piotr Bania of Cisco Talos

Talos is disclosing the presence of a denial of service vulnerability (CVE-2016-5308 / TALOS-2016-0182) in the Portable Executable file scanning functionality of Symantec Norton Security.  A specially crafted PE file can cause an access violation in the IDSvix86 kernel driver when parsing PE files resulting in a denial of service.

A malicious attacker could trigger this vulnerability by emailing the victim a crafted file with a large SizeOfRawData field in a section header. The parser does not check to make sure that this is within the bounds of the file, or MD5Compress which is the function that causes the segfault, therefore if the parameter is big enough, it can cause the MD5Compress function to access memory which is currently unavailable causing the machine to crash.

Talos has worked with Symantec to responsibly disclose this vulnerability. Uncovering new 0-day vulnerabilities not only helps improve the overall security of the software that our customers use, but it also enables us to directly improve the procedures in our own security development lifecycle, which improves the security of all of the products that Cisco produces.

This vulnerability is detected by sids 39466 and 39467.

For the most up to date list, please refer to Defense Center for FireSIGHT Management Center. For further 0-day or vulnerability reports and information visit:

Full details for the advisory can be found at TALOS-2016-0182