CVE-2016-2208
published 2016-05-19CVE-2016-2208: The kernel component in Symantec Anti-Virus Engine (AVE) 20151.1 before 20151.1.1.4 allows remote attackers to execute arbitrary code or cause a denial of…
PriorityP265critical9.1CVSS 3.0
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
19.18%
97.0th percentile
The kernel component in Symantec Anti-Virus Engine (AVE) 20151.1 before 20151.1.1.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory access violation and system crash) via a malformed PE header file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec | anti-virus_engine | <= 20151.1.0.32 | — |
Detection & IOCsextracted from sources · hover to see the quote
path\??\C:\Program Files\Norton Security\NortonData\22.6.0.142\Definitions\VirusDefs\20160506.004\NAVEX15.SYS↗
- →Trigger condition: malformed PE header where SizeOfRawData is greater than SizeOfImage in an ASPack-packed executable — causes heap/pool overflow during AV scan. Look for PE files with section raw size exceeding image size. ↗
- →Exploit delivery requires no user interaction beyond receiving an email or visiting a URL — the Symantec filter driver intercepts all system I/O and scans the file automatically on download/receipt. ↗
- →On Windows, monitor for PAGE_FAULT_IN_NONPAGED_AREA (BugCheck 0x50) kernel crashes originating from NS.exe or ccSvcHost.exe, particularly with a faulting instruction in nt!memcpy triggered by NAVEX15.SYS. ↗
- →Crafted PE section table pattern to detect PoC: section named '.data' with RVA=fff8, VSZ=0, RAW_SZ=ffffffff — flag any PE with a section whose SizeOfRawData is 0xFFFFFFFF. ↗
- →On Linux/Mac, monitor for unexpected heap corruption crashes (SIGSEGV/SIGABRT) in the Symantec or Norton scanning process running as root when processing PE/ASPack files. ↗
- ·The vulnerability exists in the kernel-loaded scan engine on Windows (NAVEX15.SYS loaded into ring0), meaning exploitation results in kernel pool corruption — standard user-mode mitigations (ASLR, DEP) do not apply. ↗
- ·File extension is irrelevant for triggering the vulnerability — the scan engine processes file content regardless of extension, so renaming the malicious PE (e.g., to .txt) does not prevent exploitation. ↗
- ·Affected version is Symantec Anti-Virus Engine (AVE) 20151.1 before 20151.1.1.4; the NAVEX15.SYS timestamp in the crash dump is Tue Oct 13 17:32:30 2015 (561DA29E), which can be used to identify unpatched installations. ↗
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.09.4CRITICALAV:N/AC:L/Au:N/C:N/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hqr3-2jm7-5j3p: The kernel component in Symantec Anti-Virus Engine (AVE) 20151
ghsa_unreviewed·2022-05-17
CVE-2016-2208 [CRITICAL] GHSA-hqr3-2jm7-5j3p: The kernel component in Symantec Anti-Virus Engine (AVE) 20151
The kernel component in Symantec Anti-Virus Engine (AVE) 20151.1 before 20151.1.1.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory access violation and system crash) via a malformed PE header file.
Project0
How to Compromise the Enterprise Endpoint - Project Zero
project_zero·2016-06-01
CVE-2016-2208 How to Compromise the Enterprise Endpoint - Project Zero
Posted by Tavis Ormandy.
Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand.
Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.
These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
As Symantec use the same core engine across their entire product li
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/90653http://www.securitytracker.com/id/1035903http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160516_00https://bugs.chromium.org/p/project-zero/issues/detail?id=820https://www.exploit-db.com/exploits/39835/http://www.securityfocus.com/bid/90653http://www.securitytracker.com/id/1035903http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160516_00https://bugs.chromium.org/p/project-zero/issues/detail?id=820https://www.exploit-db.com/exploits/39835/
2016-05-19
Published