An arbitrary command execution vulnerability exists in Symantec Alert Management System (AMS2) service installed with multiple Symantec products. The AMS service starts an alert handler service that can be accessed via MsgSys.exe listening on port 38292/TCP and runs with SYSTEM privileges. This service listens for commands from the AMS server, but does not perform proper authentication checks before executing such commands.

Remote unauthenticated attackers can exploit this vulnerability by sending a crafted packet to the target service and execute arbitrary programs with the SYSTEM privileges.

The vendor has not released any patch to address this vulnerability. As a workaround, disable the HNDLRSVC service on the affected systems.

• Symantec Antivirus Corporate Edition 10.1.8.8000 and prior
• Symantec Systems Center 10.1.8.8000 and prior

• Access vector is NETWORK
• Access complexity is LOW
• Level of authentication required is NONE
• Impact of this vulnerability on data confidentiality is COMPLETE
• Impact of this vulnerability on data integrity is COMPLETE
• Impact of this vulnerability on data availability is COMPLETE

• The exploitability level of this vulnerability is PROOF OF CONCEPT
• The remediation level of this vulnerability is UNAVAILABLE
• The report confidence level of this vulnerability is CONFIRMED