Vulnerability Name:

CVE-2007-2955 (CCN-35944)

Assigned:2007-08-09
Published:2007-08-09
Updated:2017-07-29
Summary:Multiple unspecified "input validation error" vulnerabilities in multiple ActiveX controls in NavComUI.dll, as used in multiple Norton AntiVirus, Internet Security, and System Works products for 2006, allows remote attackers to execute arbitrary code via (1) the AnomalyList property to AxSysListView32 and (2) Anomaly property to AxSysListView32OAA.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.6 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2007-2955

Source: CCN
Type: SA25215
Symantec Products NavComUI ActiveX Control Code Execution

Source: SECUNIA
Type: UNKNOWN
25215

Source: CCN
Type: Secunia Research 09/08/2007
Symantec Products NavComUI ActiveX Control Code Execution

Source: MISC
Type: Vendor Advisory
http://secunia.com/secunia_research/2007-53/advisory/

Source: CCN
Type: SYM07-021
Symantec ActiveX Control Input Validation Error

Source: CCN
Type: SECTRACK ID: 1018545
Norton Internet Security Input Validation Flaw in NAVCOMUI.DLL ActiveX Controls Let Remote Users Execute Arbitrary Code

Source: CCN
Type: SECTRACK ID: 1018546
Norton System Works Input Validation Flaw in NAVCOMUI.DLL ActiveX Controls Let Remote Users Execute Arbitrary Code

Source: CCN
Type: SECTRACK ID: 1018547
Norton Anti-Virus Input Validation Flaw in NAVCOMUI.DLL ActiveX Controls Let Remote Users Execute Arbitrary Code

Source: CCN
Type: OSVDB ID: 36477
Symantec Multiple Products NavComUI ActiveX Multiple Property Arbitrary Code Execution

Source: BID
Type: UNKNOWN
24983

Source: CCN
Type: BID-24983
Symantec Norton Products NAVCOMUI.DLL ActiveX Control Remote Code Execution Vulnerability

Source: SECTRACK
Type: UNKNOWN
1018545

Source: SECTRACK
Type: UNKNOWN
1018546

Source: SECTRACK
Type: UNKNOWN
1018547

Source: CONFIRM
Type: UNKNOWN
http://www.symantec.com/avcenter/security/Content/2007.08.09.html

Source: VUPEN
Type: UNKNOWN
ADV-2007-2822

Source: XF
Type: UNKNOWN
symantec-navcomui-code-execution(35944)

Source: XF
Type: UNKNOWN
symantec-navcomui-code-execution(35944)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:symantec:norton_antivirus:2006:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_internet_security:2005:*:anti_spyware:*:*:*:*:*
  • OR cpe:/a:symantec:norton_internet_security:2006:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_system_works:2006:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:symantec:norton_system_works:2006:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_antivirus:2006:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_internet_security:2006:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    symantec norton antivirus 2006
    symantec norton internet security 2005
    symantec norton internet security 2006
    symantec norton system works 2006
    symantec norton system works 2006
    symantec norton antivirus 2006
    symantec norton internet security 2006