Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0430 -- [Win][Netware][Linux]
Symantec Reporting Server: Provide Misleading Information
4 May 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier
Symantec AntiVirus Corporate Edition 10.2 MR1 and earlier
Symantec Client Security 3.1 MR7 and earlier
Symantec Endpoint Protection 11.0 MR1 and earlier
Publisher: Symantec
Operating System: Windows
Netware
Linux variants
Impact: Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2009-1432
Original Bulletin:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_00
- --------------------------BEGIN INCLUDED TEXT--------------------
Symantec Reporting Server Improper URL Handling Exposure
SYM09-008
April 28, 2009
Description
Revision History
None
Risk Impact
Low
Remote Access No
Local Access Yes
Authentication Required No
Exploit available No
Overview
The login web page in some versions of Symantec Reporting Server contains a
URL handling error which could potentially allow an attacker to launch a
phishing attack.
Affected Products
Product Affected Version Solution
Symantec AntiVirus Corporate Edition 10.1 MR7 and earlier Update to 10.1
MR8 or later
10.2 MR1 and earlier Update to 10.2
MR2 or later
Symantec Client Security 3.1 MR7 and earlier Update to 3.1
MR8 or later
Symantec Endpoint Protection 11.0 MR1 and earlier Update to 11.0
MR2 or later
Unaffected Products
Product Version
Norton product line all
Details
Symantec Reporting Server is a component of Symantec AntiVirus Corporate
Edition (SAV), Symantec Client Security (SCS) and Symantec Endpoint Protection
Manager (SEPM) that can be used to create reports about Symantec antivirus
products in an enterprise network.
Symantec was notified that the Reporting Server login screen contained a URL
handling error which could potentially be used to launch a phishing attack.
The error could allow a successful attacker to display a message of their
choice on the Reporting Server login screen.
Symantec Response
Symantec engineers confirmed that this exposure exists in the versions of
Reporting Server indicated in the table above. Updates have been released to
address the vulnerability.
The flaw only allows an attacker to display a message of their choice on the
Reporting Server login screen. The attacker does not gain additional access
to the Reporting Server program unless the message persuades a trusted user
to forward their login credentials to the attacker.
To set up an attack, an attacker would either need access to the Reporting
Server, or to entice a trusted user to click on a specially crafted link to
the Reporting Server. In a recommended installation, Reporting Server is
installed on the enterprise intranet, and is not visible from the internet.
Installing Reporting inside the corporate firewall greatly reduces the
opportunity for unauthorized access.
Reporting is an optional component of SAV and SCS. This exposure would affect
SAV or SCS only if the Reporting component has been installed.
Symantec is not aware of any customers impacted by this issue, or of any
attempts to exploit this issue. However, we recommend that customers update
Reporting to prevent potential attempts to exploit the vulnerability.
Mitigation
* Uninstall Reporting Server if it is not being used in SAV or SCS.
* Access to the Report Server interface should be restricted to trusted
users only
* User accounts for Reporting Server should be different than the users
network login account.
* Always manually type the address of your Reporting Server login screen
into your web browser. Do not follow a link to the login screen.
* Protect your login credentials. Never send your id and password to a
third party.
Applying the Update for Symantec AntiVirus Corporate Edition or Symantec
Client Security
Reporting is an optional component of Symantec AntiVirus Corporate Edition
and Symantec Client Security, and it can be updated (migrated) independently
of the rest of the program. For more information, please see this
knowledgebase document:
Migrating Reporting Server for Symantec Client Security 3.1 and Symantec
AntiVirus 10.1
http://entsupport.symantec.com/docs/n2007012213220048
Applying the Update for Symantec Endpoint Protection Manager
Reporting is an integral function of SEPM, and it cannot be updated
independently. For more information, please see this knowledgebase document:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008041412152348
Best Practice
* Run under the principle of least privilege where possible.
* Keep all operating systems and applications updated with the latest
vendor patches.
* Run both a personal firewall and antivirus application with current
updates to provide multiple points of detection and protection.
* Email addresses can easily be spoofed so that a message appears to come
from someone you know. If in doubt, contact the sender before opening
attachments or following web links.
Credit
Symantec would like to thank Dave Lewis of LiquidMatrix for reporting this
issue, and coordinating with us on the response.
CVE
The Symantec DeepSight analyst team has assigned BID 34668 to this issue. This
issue is a candidate for inclusion in the Common Vulnerabilities and Exposures
(CVE) list (http://cve.mitre.org), which standardizes names for security
problems. The CVE initiative has assigned CVE-2009-1432 to this issue.
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability disclosure
guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered a security
issue in a Symantec product. A Symantec Product Security team member will
contact you regarding your submission. Symantec strongly recommends using
encrypted email for reporting vulnerability information to secure@symantec.com.
The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining
the process we follow in addressing suspected vulnerabilities in our products.
This document is available below.
Symantec Vulnerability Response Policy:
http://www.symantec.com/security/Symantec-Product-Vulnerability-Response.pdf
Symantec Product Vulnerability Management PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Security Response.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.
Last modified on: April 28, 2009
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ/jfTNVH5XJJInbgRAvwbAJ9cDcIQjeBM5ek8uVfirGltR1qXZwCeKpdM
aCSvABB+qNIl4VquSiRdqek=
=ByWi
-----END PGP SIGNATURE-----