CVE-2016-3645

Q: What is the severity of CVE-2016-3645?

CVE-2016-3645 has a CVSS score of 9.8 (CRITICAL). This integer overflow vulnerability in Symantec's TNEF unpacker allows remote attackers to execute arbitrary code via specially crafted TNEF data. It affects numerous Symantec security products across Windows, Mac, and Linux platforms. Attackers can exploit this without authentication to potentially take full control of affected systems.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This integer overflow vulnerability in Symantec's TNEF unpacker allows remote attackers to execute arbitrary code via specially crafted TNEF data. It affects numerous Symantec security products across Windows, Mac, and Linux platforms. Attackers can exploit this without authentication to potentially take full control of affected systems.

💻 Affected Systems

Products:

Symantec Advanced Threat Protection (ATP)
Symantec Data Center Security:Server (SDCS:S)
Symantec Web Gateway
Symantec Endpoint Protection (SEP)
Symantec Endpoint Protection (SEP) for Mac
Symantec Endpoint Protection (SEP) for Linux
Symantec Protection Engine (SPE)
Symantec Protection for SharePoint Servers (SPSS)
Symantec Mail Security for Microsoft Exchange (SMSMSE)
Symantec Mail Security for Domino (SMSDOM)
CSAPI
Symantec Message Gateway (SMG)
Symantec Message Gateway for Service Providers (SMG-SP)
Norton AntiVirus
Norton Security
Norton Internet Security
Norton 360
Norton Security for Mac
Norton Power Eraser (NPE)
Norton Bootable Removal Tool (NBRT)

Versions: See detailed version ranges in CVE description

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable as this affects core TNEF parsing functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to install malware, create backdoors, or exfiltrate sensitive data.

🟢

If Mitigated

Denial of service or application crash if exploit fails or controls limit impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on Exploit-DB (ID 40035). Crafted TNEF data can be delivered via email attachments or other vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by product - see vendor advisory for specific version requirements

Vendor Advisory: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00

Restart Required: Yes

Instructions:

1. Identify affected Symantec products and versions. 2. Download and apply appropriate patches from Symantec. 3. Restart affected services or systems as required. 4. Verify patch installation.

🔧 Temporary Workarounds

Block TNEF attachments at perimeter

all

Configure email gateways to block or quarantine TNEF attachments (.dat files with winmail.dat content-type)

Disable TNEF processing

all

If supported by specific Symantec product, disable TNEF unpacking functionality

🧯 If You Can't Patch

Isolate affected systems from untrusted networks
Implement strict network segmentation and monitor for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check installed Symantec product versions against affected ranges in vendor advisory

Check Version:

Varies by product - typically via product console or 'symantec-version' command

Verify Fix Applied:

Verify product version is updated to patched version and check for successful update in logs

📡 Detection & Monitoring

Log Indicators:

Symantec service crashes
Unexpected process creation from Symantec services
Memory access violations in Symantec logs

Network Indicators:

Inbound emails with TNEF attachments
Network traffic to/from Symantec services on unusual ports

SIEM Query:

source="symantec*" AND (event_type="crash" OR event_type="exception")

📊 Metadata

CVE ID: CVE-2016-3645

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-189

Published: June 30, 2016

Last Updated: April 12, 2025

🔗 References

http://www.securityfocus.com/bid/91439 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1036198 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1036199 Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/40035/ Third Party Advisory,VDB Entry
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00 Vendor Advisory
http://www.securityfocus.com/bid/91439 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1036198 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1036199 Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/40035/ Third Party Advisory,VDB Entry
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Advanced Threat Protection by Symantec

Csapi by Symantec

Data Center Security Server by Symantec

Data Center Security Server by Symantec

Data Center Security Server by Symantec

Data Center Security Server by Symantec

Data Center Security Server by Symantec

Data Center Security Server by Symantec

Endpoint Protection by Symantec

Endpoint Protection by Symantec

Endpoint Protection by Symantec

Endpoint Protection by Symantec

Endpoint Protection by Symantec

Endpoint Protection by Symantec

Endpoint Protection by Symantec

Mail Security For Domino by Symantec

Mail Security For Domino by Symantec

Mail Security For Microsoft Exchange by Symantec

Mail Security For Microsoft Exchange by Symantec

Mail Security For Microsoft Exchange by Symantec

Message Gateway by Symantec

Message Gateway For Service Providers by Symantec

Message Gateway For Service Providers by Symantec

Ngc by Symantec

Norton 360 by Symantec

Norton Antivirus by Symantec

Norton Bootable Removal Tool by Symantec

Norton Internet Security by Symantec

Norton Power Eraser by Symantec

Norton Security by Symantec

Norton Security by Symantec

Norton Security With Backup by Symantec

Protection Engine by Symantec

Protection Engine by Symantec

Protection Engine by Symantec

Protection For Sharepoint Servers by Symantec

Protection For Sharepoint Servers by Symantec

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block TNEF attachments at perimeter

Disable TNEF processing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities