Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

 Security Advisories Relating to Symantec Products - Symantec Web Gateway
                               19 June 2014


        AusCERT Security Bulletin Summary

Product:           Symantec Web Gateway
Publisher:         Symantec
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-1652 CVE-2014-1651 CVE-2014-1650

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories Relating to Symantec Products - Symantec Web Gateway 

Security Issues


June 16, 2014




CVSS2		Impact	Exploitability	CVSS2 Vector
Base Score
Command Injection in SNMPConfig.php - High

7.9		10	5.5		AV:A/AC:M/Au:N/C:C/I:C/A:C

SQL Injection in user.php  - Medium

6.8		9.2	4.4		AV:A/AC:M/Au:S/C:C/I:C/A:N

Blind SQLi in clientreport.php - Medium

4.7		4.9	6.5		AV:A/AC:L/Au:N/C:P/I:P/A:N

Reflected XSS in multiple report parameters -Medium

4.3		4.9	5.5		AV:A/AC:M/Au:S/C:P/I:P/A:N


Symantec Web Gateway (SWG) 5.2 Appliance management console is susceptible to 
security issues.  Successful exploitation could result in unauthorized command 
execution on or access to the management console.  There is also potential for
unauthorized backend database manipulation. 

Product(s) Affected

Product			Version		Solution

Symantec Web 		5.2 and prior	Symantec Web Gateway 5.2.1
Gateway Appliance
NOTE:  Customers should always ensure they are running the latest data base 
updates available


Symantec was notified of security issues impacting the SWG management console 
that could result in unauthorized access to management console functionality 
and the backend database. The results of successful exploitation could 
potentially range from unauthorized disclosure of sensitive data to possibly 
unauthorized privileged access to the Symantec Web Gateway Appliance.

Unauthenticated arbitrary commands can potentially be injected into application
scripts accessible though the SWG consoles interface.  Successful command 
injection could result in arbitrary command execution with elevated privileges
on the web console. 

SQL injection issues were identified allowing an authenticated SWG 
administrator to make unauthorized database queries.  Successful targeting
could potentially result in arbitrary SQL queries to the backend database 
resulting in unauthorized disclosure of privileged information and/or possibly
unauthorized manipulation of the database.

Some report pages on SWG versions 5.1.x and prior do not properly 
validate/sanitize external input allowing a blind SQL injection with the 
potential to run an unauthorized arbitrary SQL query vice an authorized query.
The 5.1.x version is also impacted by reflected cross-site scripting.  

Successful targeting of these XSS issues could result in hijacking the SWG user
session. Both of these were fully addressed in the release of SWG 5.2 so any 
customers still on a 5.1.x release should migrate to the latest release 
available which is 5.2.1.

In a normal installation, the Symantec Web Gateway management interface should 
not be externally accessible from the network environment.  However, an 
authorized but unprivileged network user or an external attacker able to 
successfully leverage network access could attempt to exploit these weaknesses.

Symantec Response

Symantec engineers confirmed that some of these issues were addressed in the
5.2 release of Symantec Web Gateway and have released an update to 5.2 to
address additional findings. Symantec engineers continue to review related 
functionality to further enhance the overall security of Symantec Web 
Gateway. Symantec has released Symantec Web Gateway 5.2.1, currently 
available to customers through normal support locations.

Customers should ensure they are on the latest release of Symantec Web Gateway 
5.2.1 and running the latest data base update. To confirm customers are running
the latest updates check the "Current Software Version -> Current Version" on 
the Administration->Updates page.  Alternatively, customers can click 
"Check for Updates" on the Administration->Updates page to verify that they are
running the latest software version.

Best Practices

As part of normal best practices, Symantec strongly recommends:

Restrict access to administration or management systems to privileged users.

Disable remote access if not required or restrict it to trusted/authorized 
systems only.

Where possible, limit exposure of application and web interfaces to 
trusted/internal networks only.

Keep all operating systems and applications updated with the latest vendor 

The Symantec Web Gateway software and any applications that are installed on 
the Symantec Web Gateway can ONLY be updated with authorized and tested 
versions distributed by Symantec.

Follow a multi-layered approach to security. Run both firewall and anti-malware
applications, at a minimum, to provide multiple points of detection and 
protection to both inbound and outbound threats.

Deploy network and host-based intrusion detection systems to monitor network 
traffic for signs of anomalous or suspicious activity. This may aid in
detection of attacks or malicious activity related to exploitation of latent 


Symantec thanks Brandon Perry working through HP Zero Day Initiative (ZDI) for 
submitting the command injection and SQL injection for SWG 5.2.  Symantec 
further thanks ZDI for working with us as we address them.

Symantec thanks Min1214 of INFOSEC Inc. (http://www.skinfosec.com/en/) working 
through the Korean CERT, KR-CERT, and CERT.org for reporting the blind SQL 
injection and the XSS in 5.1.x


BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs 
(BIDs) to these issues for inclusion in the Security Focus vulnerability 

CVE: These issues are candidates for inclusion in the CVE list 
(http://cve.mitre.org), which standardizes names for security problems. 

CVE		BID		Description

CVE-2013-5017	BID 67752	Cmd Injection in SNMPConfig.php

CVE-2014-1650	BID 67753	SQLi in user.php

CVE-2014-1651	BID 67754	Blind SQLi in clientreport.php

CVE-2014-1652	BID 67755	Reflected XSS in multiple report parameters

Symantec takes the security and proper functionality of our products very 
seriously. As founding members of the Organization for Internet Safety 
(OISafety), Symantec supports and follows responsible disclosure guidelines.

Please contact secure@symantec.com if you feel you have discovered a security 
issue in a Symantec product. A member of the Symantec Product Security team 
will contact you regarding your submission to coordinate any required 
response. Symantec strongly recommends using encrypted email for reporting 
vulnerability information to secure@symantec.com. The Symantec Product 
Security PGP key can be found at the location below.

Symantec has developed a Product Vulnerability Response document outlining 
the process we follow in addressing suspected vulnerabilities in our products.
This document is available below.

Symantec Vulnerability Response Policy	

Symantec Product Vulnerability Management PGP Key

Copyright (c) by Symantec Corp.

Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Product Security.
Reprinting the whole or part of this alert in any medium other than 
electronically requires permission from secure@symantec.com


The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties 
with regard to this information. Neither the author nor the publisher accepts 
any liability for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Product Security, and secure@symantec.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the
United States and other countries. All other registered and unregistered 
trademarks represented in this document are the sole property of their 
respective companies/owners.

* Signature names may have been updated to comply with an updated IPS 
Signature naming convention. 
See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST 
for more information.

Last modified on: June 16, 2014

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967