Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

 Security Advisories Relating to Symantec Products - Symantec Web Gateway
                Security Management Console Multiple Issues
                             17 September 2015


        AusCERT Security Bulletin Summary

Product:           Symantec Web Gateway Appliance
Publisher:         Symantec
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-6548 CVE-2015-6547 CVE-2015-5693
                   CVE-2015-5692 CVE-2015-5691 CVE-2015-5690

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories Relating to Symantec Products - Symantec Web Gateway 
Security Management Console Multiple Issues


September 16, 2015


CVSS2 Base Score	Impact		Exploitability	CVSS2 Vector

Unauthorized Redirect Bypass RCE - High
8.5			10		6.8		AV:N/AC:M/Au:S/C:C/I:C/A:C

Unauthenticated Reflected XSS in .php scripts - Medium
4.7			4.9		6.4		AV:N/AC:L/Au:M/C:P/I:P/A:N

Authenticated File Upload RCE - High
7.0			10		3.5		AV:A/AC:M/Au:M/C:C/I:C/A:C

Code Injection in Traffic Capture EoP - High
7.0			10		3.5		AV:A/AC:M/Au:M/C:C/I:C/A:C

Command Injection at Boot Time EoP - High
7.2			10		4.1		AV:A/AC:L/Au:M/C:C/I:C/A:C

Blind Time-based SQL Injection in .PHP script - Medium
4.5			6.4		3.5		AV:A/AC:M/Au:M/C:P/I:P/A:P

Symantec Web Gateway (SWG) Appliance management console is susceptible to a 
number of security vulnerabilities. Successful exploitation may result in both 
an authorized but less-privileged user or in some instances an unauthorized 
user potentially gaining access to unauthorized files on the management console
or possibility being able to manipulate elevated privileges to the management 
console and the underlying OS.

Product(s) Affected

Product					Version		Solution

Symantec Web Gateway Appliance		5.2.2 and prior	Download the Latest DB
							Update v5.0.0.1277 or 

NOTE: Customers should always ensure they are running the latest data base
updates available for download


Symantec was notified of security issues impacting the Symantec Web Gateway
(SWG) management console. The results of successful exploitation could
potentially range from a user with authorized but lower-privileged access to
the management console gaining unauthorized access to sensitive data or another 
user's account to unauthorized manipulation of the console and underlying
operating system.

Authenticated access blind time-based SQL injection issues were identified 
allowing an authenticated but less-privileged SWG user to potentially make 
unauthorized database queries.

An authorized user could potentially inject arbitrary commands though the SWG
console's hostname interface if the attacker already has some level of
privileged access.

As a result of weak authentication and sanitization of user controlled input, 
an authorized but less-privileged user could potentially upload arbitrary code
to be executed by application scripts used by the SWG management console 
potentially resulting in arbitrary command execution with application

SWG in certain cases improperly validates/sanitizes external input allowing the
potential for an authorized access redirect bypass. By manipulating a weakness
in additional functionality of the console, an authorized but less-privileged
user may be able to bypass authorization checks and inject arbitrary commands
in the appliance OS with elevated privileges.

SWG fails to properly validate/sanitize certain external input allowing the 
potential for reflected cross-site scripting attempts by both authorized but
non-privileged and in some instances unauthorized individuals who can entice a 
logged in web console user to visit a malicious site. Successful targeting of
these issues could potentially result in the hijacking of an authorized 
Symantec Web Gateway user session with associated privileges.

NOTE: In a normal installation, the Symantec Web Gateway management console
interface should never be accessible external to the authorized network. 
However, an authorized but less-privileged network user or an external attacker
able to leverage network access could attempt to exploit these weaknesses.

Symantec Response

Symantec engineers validated these submissions. A Symantec Web Gateway data 
base update, version, has been released to address them. Symantec 
Web Gateway latest data base update is currently available to customers through
normal support locations. Symantec is not aware of exploitation of or adverse
customer impact from these issues.

Customers should ensure they are on the latest release of Symantec Web Gateway
5.2.2 and running the latest data base update v5.0.0.1277 or later. To confirm
customers are running the latest updates check the 
"Current Software Version -> Current Version" on theAdministration->Updates 
page. Alternatively, customers can click the "Check for Updates" button on the
Administration->Updates page to verify that they are running the latest 
software version.

Best Practices

As part of normal best practices, Symantec strongly recommends:

Restrict access to administration or management systems to privileged users.

Disable remote access if not required or restrict it to trusted/authorized 
systems only.

Where possible, limit exposure of application and web interfaces to 
trusted/internal networks only.

Keep all operating systems and applications updated with the latest vendor 

The Symantec Web Gateway software and any applications that are installed on 
the Symantec Web Gateway can ONLY be updated with authorized and tested 
versions distributed by Symantec.

Follow a multi-layered approach to security. Run both firewall and anti-malware
applications, at a minimum, to provide multiple points of detection and
protection to both inbound and outbound threats.

Deploy network and host-based intrusion detection systems to monitor network 
traffic for signs of anomalous or suspicious activity. This may aid in
detection of attacks or malicious activity related to exploitation of latent 

Symantec thanks Jos Wetzels with LeakFree Security, as well as an anonymous 
researcher working with HP's Zero Day Initiative (ZDI). We would also like to 
thank ZDI for working with us as we resolved their findings.

Symantec thanks Daniel Jensen with Security-Assessment.com for submitting his 
findings and working with us as we resolved them.


BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs 
(BIDs) to these issues for inclusion in the Security Focus vulnerability 

CVE: These issues are candidates for inclusion in the CVE list 
(http://cve.mitre.org), which standardizes names for security problems.

CVE		BID	Description
CVE-2015-5690	76725	Unauthorized Redirect Bypass RCE
CVE-2015-5691	76728	Unauthenticated Reflected XSS in .php scripts
CVE-2015-5692	76726	Authenticated File Upload RCE
CVE-2015-5693	76731	Code Injection in Traffic Capture EoP
CVE-2015-6547	76730	Command Injection at Boot Time EoP
CVE-2015-6548	76729	Blind Time-based SQL Injection in .PHP script

Symantec takes the security and proper functionality of our products very 
seriously. As founding members of the Organization for Internet Safety 
(OISafety), Symantec supports and follows responsible disclosure guidelines.

Please contact secure@symantec.com if you feel you have discovered a security 
issue in a Symantec product. A member of the Symantec Product Security team will
contact you regarding your submission to coordinate any required response. 
Symantec strongly recommends using encrypted email for reporting vulnerability 
information to secure@symantec.com. The Symantec Product Security PGP key can 
be found at the location below.

Symantec has developed a Product Vulnerability Response document outlining the
process we follow in addressing suspected vulnerabilities in our products. 
This document is available below.

Symantec Vulnerability Response Policy	
Symantec Product Vulnerability Management PGP Key	

Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it 
is not edited in any way unless authorized by Symantec Product Security. 
Reprinting the whole or part of this alert in any medium other than 
electronically requires permission from secure@symantec.com

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no 
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential 
loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Product Security, and 
secure@symantec.com are registered trademarks of Symantec Corp. and/or 
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.

* Signature names may have been updated to comply with an updated IPS 
Signature naming convention. See 
for more information.

Last modified on: September 16, 2015

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967