JVN#87683137
Norton Security for Mac improperly processes ICMP packets
Overview
Norton Security for Mac improperly processes ICMP packets, resulting in OS to crash.
Products Affected
- Norton Security for Mac versions prior to 8.6.6
Description
Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software.
Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash (CWE-20).
Impact
An unprivileged user may cause a denial-of-service (DoS) condition on the OS.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer states that the vulnerability does not exist if the product is updated to version 8.6.6 or later, with macOS 10.15 or later.
Vendor Status
| Vendor | Link |
| NortonLifeLock Inc. | Introducing Norton™ 360 |
| Norton Security for Mac 8.6.6 is now available! |
References
JPCERT/CC Addendum
CVE ID for this vulnerability should be assigned by NortonLifeLock Inc. as they are CNA and the product is under their scope. Once the CVE ID is assigned, this page will be updated.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Yuki Meguro of Tohoku Information Systems Company, Incorporated reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2022-000017 |