Security Experts:

Researcher Warns of Zero-day Vulnerabilities in Symantec PGP Product

A security researcher has uncovered two zero-day vulnerabilities in Symantec's desktop encryption product. One of the security issues could potentially be used to trigger the other flaw, he claims.

Security researcher Nikita Tarakanov says that he uncovered an integer overflow vulnerability in the pgpwded.sys driver distributed with Symantec PGP Whole Disk Encryption 10.2.0 Build 299 (up-to-date), according to a post on text-sharing site Pastebin on Jan. 7. This vulnerability affected all versions of Windows, Tarakanov wrote on Twitter.

"Symantec is aware of the claims about arbitrary code vulnerabilities affecting its PGP Whole Disk Encryption product. These claims are currently being investigated and we have no additional information to share at this time," a Symantec spokesperson told SecurityWeek.

Tarakanov uncovered this bug days after Symantec downplayed a different vulnerability in PGP Desktop. Over Christmas, Tarakanov had discovered an arbitrary memory overwrite vulnerability in the same driver file for PGP Desktop WDE. If exploited successfully, this flaw would allow malicious code execution.

Symantec acknowledged the vulnerability, but noted that it cannot be easily exploited as certain conditions must first be met. The attacker needs to be logged into a Windows XP or Windows 2003 system, but even so, wouldn't be able to take advantage of the security issue unless the vulnerable system first encountered an error condition, Symantec said in a post on its Encryption Blog.

An error condition is when a program escapes its execution to report an issue for a developer to monitor and correct, David Schwartzberg, a senior security engineer at Sophos, told SecurityWeek. (Disclosure: Sophos does offer products that compete with some Symantec offerings) Poor programming will result in unmonitored error conditions which can be exploited with malware because the malware will respond to the error thrown, Schwartzberg said.

"It's not of big concern as the stars need to be aligned for this to be exploited," wrote Kelvin Kwan, product marketing manager at Symantec.

While difficult, it is possible to craft an attack to execute the zero-day, Schwartzberg said. If the pre-boot authentication option on PGP Desktop WDE is enabled, then there is no way to locally access the device until after the user has successfully logged in. However, if the pre-boot authentication setting is not enabled, "it makes it that much easier to get to Windows," Schwartzberg said.

Knowing pre-boot authentication is not set, an attacker would be able to take advantage of some other security vulnerability, to run code that forces an error condition. Once there is an error condition, the attacker would be able to bypass PGP's disk encryption and access the data stored on the drive, Schwartzberg said.

It's possible the second zero-day vulnerability Taraknov found could be exploited to execute arbitrary code to create that error condition.

"Hope you don't lose any encrypted laptops with Symantec's PGP Desktop 10.2.0 Build 2599," Schwartzberg said.

"The plan is to have a fix in an upcoming maintenance pack. The expected availability of the maintenance pack is early February,” Symantec's Kwan said, referring to the first arbitrary memory overwrite vulnerability.

Until the maintenance pack is available, the best way to protect user data is to ensure pre-boot authentication is enabled on PGP Desktop so that Windows doesn't load until after the user logs in, Schwartzberg said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.