Vous êtes ici: index » cert » avis


Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Fri, 18 Sep 2015 11:56:01 +0200
Type : VULN
Sujet : CERT-Renater : 2015/VULN197 (Symantec : Symantec Web Gateway Security Management Console Multiple Issues)

                              Note d'Information No. 2015/VULN197

DATE                : 18/09/2015


OPERATING SYSTEM(S): Systems running Symantec Web Gateway version up to
                      and including 5.2.2.

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year 15&suid 150916_00

Security Advisories Relating to Symantec Products -


September 16, 2015



CVSS2 Base Score	Impact		Exploitability	CVSS2 Vector

Unauthorized Redirect Bypass RCE - High
8.5	 10		6.8		AV:N/AC:M/Au:S/C:C/I:C/A:C

Unauthenticated Reflected XSS in .php scripts - Medium
4.7		4.9		6.4	AV:N/AC:L/Au:M/C:P/I:P/A:N

Authenticated File Upload RCE - High
7.0		10		3.5	AV:A/AC:M/Au:M/C:C/I:C/A:C

Code Injection in Traffic Capture EoP - High
7.0		10		3.5	AV:A/AC:M/Au:M/C:C/I:C/A:C

Command Injection at Boot Time EoP - High
7.2		10		4.1	AV:A/AC:L/Au:M/C:C/I:C/A:C

Blind Time-based SQL Injection in .PHP script - Medium
4.5		6.4		3.5	AV:A/AC:M/Au:M/C:P/I:P/A:P

Symantec Web Gateway (SWG) Appliance management console is susceptible
to a number of security vulnerabilities. Successful exploitation may
result in both an authorized but less-privileged user or in some
instances an unauthorized user potentially gaining access to
unauthorized files on the management console or possibility being able
to manipulate elevated privileges to the management console and the
underlying OS.

Product(s) Affected

Product				  Version             Solution

Symantec Web Gateway Appliance	   5.2.2 and prior   Download the
                                                      Latest DB Update
                                                     v5.0.0.1277 or later

NOTE: Customers should always ensure they are running the latest data
baseupdates available for download


Symantec was notified of security issues impacting the Symantec Web
Gateway (SWG) management console. The results of successful
exploitation could potentially range from a user with authorized but
lower-privileged access to the management console gaining unauthorized
access to sensitive data or another user's account to unauthorized
manipulation of the console and underlying operating system.

Authenticated access blind time-based SQL injection issues were
identified allowing an authenticated but less-privileged SWG user to
potentially make unauthorized database queries.

An authorized user could potentially inject arbitrary commands though
the SWG console's hostname interface if the attacker already has some
level of privileged access.

As a result of weak authentication and sanitization of user controlled
input, an authorized but less-privileged user could potentially upload
arbitrary code to be executed by application scripts used by the SWG
management console potentially resulting in arbitrary command execution
with application privileges.

SWG in certain cases improperly validates/sanitizes external input
allowing the potential for an authorized access redirect bypass. By
manipulating a weakness in additional functionality of the console, an
authorized but less-privileged user may be able to bypass authorization
checks and inject arbitrary commands in the appliance OS with elevated

SWG fails to properly validate/sanitize certain external input allowing
the potential for reflected cross-site scripting attempts by both
authorized but non-privileged and in some instances unauthorized
individuals who can entice a logged in web console user to visit a
malicious site. Successful targeting of these issues could potentially
result in the hijacking of an authorized Symantec Web Gateway user
session with associated privileges.

NOTE: In a normal installation, the Symantec Web Gateway management
console interface should never be accessible external to the authorized
network. However, an authorized but less-privileged network user or an
external attacker able to leverage network access could attempt to
exploit these weaknesses.

Symantec Response

Symantec engineers validated these submissions. A Symantec Web Gateway
data base update, version, has been released to address
them. Symantec Web Gateway latest data base update is currently
available to customers through normal support locations. Symantec is
not aware of exploitation of or adverse customer impact from these

Customers should ensure they are on the latest release of Symantec Web
Gateway 5.2.2 and running the latest data base update v5.0.0.1277 or
later. To confirm customers are running the latest updates check the
"Current Software Version -> Current Version" on
theAdministration->Updates page. Alternatively, customers can click the
"Check for Updates" button on the Administration->Updates page to
verify that they are running the latest software version.

Best Practices

As part of normal best practices, Symantec strongly recommends:

Restrict access to administration or management systems to privileged

Disable remote access if not required or restrict it to
trusted/authorized systems only.

Where possible, limit exposure of application and web interfaces to
trusted/internal networks only.

Keep all operating systems and applications updated with the latest
vendor patches.

The Symantec Web Gateway software and any applications that are
installed on the Symantec Web Gateway can ONLY be updated with
authorized and tested versions distributed by Symantec.

Follow a multi-layered approach to security. Run both firewall and
anti-malware applications, at a minimum, to provide multiple points of
detection and protection to both inbound and outbound threats.

Deploy network and host-based intrusion detection systems to monitor
network traffic for signs of anomalous or suspicious activity. This may
aid in detection of attacks or malicious activity related to
exploitation of latent vulnerabilities

Symantec thanks Jos Wetzels with LeakFree Security, as well as an
anonymous researcher working with HP's Zero Day Initiative (ZDI). We
would also like to thank ZDI for working with us as we resolved their

Symantec thanks Daniel Jensen with Security-Assessment.com for
submitting his findings and working with us as we resolved them.


BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq
IDs (BIDs) to these issues for inclusion in the Security Focus
vulnerability database.

CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

CVE		BID	Description
CVE-2015-5690	76725	Unauthorized Redirect Bypass RCE
CVE-2015-5691	76728	Unauthenticated Reflected XSS in .php scripts
CVE-2015-5692	76726	Authenticated File Upload RCE
CVE-2015-5693	76731	Code Injection in Traffic Capture EoP
CVE-2015-6547	76730	Command Injection at Boot Time EoP
CVE-2015-6548	76729	Blind Time-based SQL Injection in .PHP script

Symantec takes the security and proper functionality of our products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec supports and follows responsible disclosure

Please contact secure@symantec.com if you feel you have discovered a
security issue in a Symantec product. A member of the Symantec Product
Security team will contact you regarding your submission to coordinate
any required response.
Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@symantec.com. The Symantec Product
Security PGP key can be found at the location below.

Symantec has developed a Product Vulnerability Response document
outlining the process we follow in addressing suspected vulnerabilities
in our products. This document is available below.

Symantec Vulnerability Response Policy	
Symantec Product Vulnerability Management PGP Key	

Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long
as it is not edited in any way unless authorized by Symantec Product
Security. Reprinting the whole or part of this alert in any medium
other than electronically requires permission from secure@symantec.com

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this

Symantec, Symantec products, Symantec Product Security, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are
the sole property of their respective companies/owners.

* Signature names may have been updated to comply with an updated IPS
Signature naming convention. See
for more information.

Last modified on: September 16, 2015

Serveur de référence du CERT-Renater
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +

[An attachment of type application/pkcs7-signature was included here]