Note d'Information No. 2015/VULN197
DATE : 18/09/2015
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running Symantec Web Gateway version up to
and including 5.2.2.
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year 15&suid 150916_00
Security Advisories Relating to Symantec Products -
September 16, 2015
CVSS2 Base Score Impact Exploitability CVSS2 Vector
Unauthorized Redirect Bypass RCE - High
8.5 10 6.8 AV:N/AC:M/Au:S/C:C/I:C/A:C
Unauthenticated Reflected XSS in .php scripts - Medium
4.7 4.9 6.4 AV:N/AC:L/Au:M/C:P/I:P/A:N
Authenticated File Upload RCE - High
7.0 10 3.5 AV:A/AC:M/Au:M/C:C/I:C/A:C
Code Injection in Traffic Capture EoP - High
7.0 10 3.5 AV:A/AC:M/Au:M/C:C/I:C/A:C
Command Injection at Boot Time EoP - High
7.2 10 4.1 AV:A/AC:L/Au:M/C:C/I:C/A:C
Blind Time-based SQL Injection in .PHP script - Medium
4.5 6.4 3.5 AV:A/AC:M/Au:M/C:P/I:P/A:P
Symantec Web Gateway (SWG) Appliance management console is susceptible
to a number of security vulnerabilities. Successful exploitation may
result in both an authorized but less-privileged user or in some
instances an unauthorized user potentially gaining access to
unauthorized files on the management console or possibility being able
to manipulate elevated privileges to the management console and the
Product Version Solution
Symantec Web Gateway Appliance 5.2.2 and prior Download the
Latest DB Update
v22.214.171.1247 or later
NOTE: Customers should always ensure they are running the latest data
baseupdates available for download
Symantec was notified of security issues impacting the Symantec Web
Gateway (SWG) management console. The results of successful
exploitation could potentially range from a user with authorized but
lower-privileged access to the management console gaining unauthorized
access to sensitive data or another user's account to unauthorized
manipulation of the console and underlying operating system.
Authenticated access blind time-based SQL injection issues were
identified allowing an authenticated but less-privileged SWG user to
potentially make unauthorized database queries.
An authorized user could potentially inject arbitrary commands though
the SWG console's hostname interface if the attacker already has some
level of privileged access.
As a result of weak authentication and sanitization of user controlled
input, an authorized but less-privileged user could potentially upload
arbitrary code to be executed by application scripts used by the SWG
management console potentially resulting in arbitrary command execution
with application privileges.
SWG in certain cases improperly validates/sanitizes external input
allowing the potential for an authorized access redirect bypass. By
manipulating a weakness in additional functionality of the console, an
authorized but less-privileged user may be able to bypass authorization
checks and inject arbitrary commands in the appliance OS with elevated
SWG fails to properly validate/sanitize certain external input allowing
the potential for reflected cross-site scripting attempts by both
authorized but non-privileged and in some instances unauthorized
individuals who can entice a logged in web console user to visit a
malicious site. Successful targeting of these issues could potentially
result in the hijacking of an authorized Symantec Web Gateway user
session with associated privileges.
NOTE: In a normal installation, the Symantec Web Gateway management
console interface should never be accessible external to the authorized
network. However, an authorized but less-privileged network user or an
external attacker able to leverage network access could attempt to
exploit these weaknesses.
Symantec engineers validated these submissions. A Symantec Web Gateway
data base update, version 126.96.36.1997, has been released to address
them. Symantec Web Gateway latest data base update is currently
available to customers through normal support locations. Symantec is
not aware of exploitation of or adverse customer impact from these
Customers should ensure they are on the latest release of Symantec Web
Gateway 5.2.2 and running the latest data base update v188.8.131.527 or
later. To confirm customers are running the latest updates check the
"Current Software Version -> Current Version" on
theAdministration->Updates page. Alternatively, customers can click the
"Check for Updates" button on the Administration->Updates page to
verify that they are running the latest software version.
As part of normal best practices, Symantec strongly recommends:
Restrict access to administration or management systems to privileged
Disable remote access if not required or restrict it to
trusted/authorized systems only.
Where possible, limit exposure of application and web interfaces to
trusted/internal networks only.
Keep all operating systems and applications updated with the latest
The Symantec Web Gateway software and any applications that are
installed on the Symantec Web Gateway can ONLY be updated with
authorized and tested versions distributed by Symantec.
Follow a multi-layered approach to security. Run both firewall and
anti-malware applications, at a minimum, to provide multiple points of
detection and protection to both inbound and outbound threats.
Deploy network and host-based intrusion detection systems to monitor
network traffic for signs of anomalous or suspicious activity. This may
aid in detection of attacks or malicious activity related to
exploitation of latent vulnerabilities
Symantec thanks Jos Wetzels with LeakFree Security, as well as an
anonymous researcher working with HP's Zero Day Initiative (ZDI). We
would also like to thank ZDI for working with us as we resolved their
Symantec thanks Daniel Jensen with Security-Assessment.com for
submitting his findings and working with us as we resolved them.
BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq
IDs (BIDs) to these issues for inclusion in the Security Focus
CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.
CVE BID Description
CVE-2015-5690 76725 Unauthorized Redirect Bypass RCE
CVE-2015-5691 76728 Unauthenticated Reflected XSS in .php scripts
CVE-2015-5692 76726 Authenticated File Upload RCE
CVE-2015-5693 76731 Code Injection in Traffic Capture EoP
CVE-2015-6547 76730 Command Injection at Boot Time EoP
CVE-2015-6548 76729 Blind Time-based SQL Injection in .PHP script
Symantec takes the security and proper functionality of our products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec supports and follows responsible disclosure
Please contact firstname.lastname@example.org if you feel you have discovered a
security issue in a Symantec product. A member of the Symantec Product
Security team will contact you regarding your submission to coordinate
any required response.
Symantec strongly recommends using encrypted email for reporting
vulnerability information to email@example.com. The Symantec Product
Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document
outlining the process we follow in addressing suspected vulnerabilities
in our products. This document is available below.
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long
as it is not edited in any way unless authorized by Symantec Product
Security. Reprinting the whole or part of this alert in any medium
other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
Symantec, Symantec products, Symantec Product Security, and
email@example.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are
the sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS
Signature naming convention. See
for more information.
Last modified on: September 16, 2015
Serveur de rÃ©fÃ©rence du CERT-Renater
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23 - 25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email: firstname.lastname@example.org +
[An attachment of type application/pkcs7-signature was included here]