Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2435
Security Advisories Relating to Symantec Products - Symantec Web Gateway
Security Management Console Multiple Issues
17 September 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Web Gateway Appliance
Publisher: Symantec
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-6548 CVE-2015-6547 CVE-2015-5693
CVE-2015-5692 CVE-2015-5691 CVE-2015-5690
Original Bulletin:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2015&suid=20150916_00
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisories Relating to Symantec Products - Symantec Web Gateway
Security Management Console Multiple Issues
SYM15-009
September 16, 2015
Revisions
None
Severity
CVSS2 Base Score Impact Exploitability CVSS2 Vector
Unauthorized Redirect Bypass RCE - High
8.5 10 6.8 AV:N/AC:M/Au:S/C:C/I:C/A:C
Unauthenticated Reflected XSS in .php scripts - Medium
4.7 4.9 6.4 AV:N/AC:L/Au:M/C:P/I:P/A:N
Authenticated File Upload RCE - High
7.0 10 3.5 AV:A/AC:M/Au:M/C:C/I:C/A:C
Code Injection in Traffic Capture EoP - High
7.0 10 3.5 AV:A/AC:M/Au:M/C:C/I:C/A:C
Command Injection at Boot Time EoP - High
7.2 10 4.1 AV:A/AC:L/Au:M/C:C/I:C/A:C
Blind Time-based SQL Injection in .PHP script - Medium
4.5 6.4 3.5 AV:A/AC:M/Au:M/C:P/I:P/A:P
Overview
Symantec Web Gateway (SWG) Appliance management console is susceptible to a
number of security vulnerabilities. Successful exploitation may result in both
an authorized but less-privileged user or in some instances an unauthorized
user potentially gaining access to unauthorized files on the management console
or possibility being able to manipulate elevated privileges to the management
console and the underlying OS.
Product(s) Affected
Product Version Solution
Symantec Web Gateway Appliance 5.2.2 and prior Download the Latest DB
Update v5.0.0.1277 or
later
NOTE: Customers should always ensure they are running the latest data base
updates available for download
Details
Symantec was notified of security issues impacting the Symantec Web Gateway
(SWG) management console. The results of successful exploitation could
potentially range from a user with authorized but lower-privileged access to
the management console gaining unauthorized access to sensitive data or another
user's account to unauthorized manipulation of the console and underlying
operating system.
Authenticated access blind time-based SQL injection issues were identified
allowing an authenticated but less-privileged SWG user to potentially make
unauthorized database queries.
An authorized user could potentially inject arbitrary commands though the SWG
console's hostname interface if the attacker already has some level of
privileged access.
As a result of weak authentication and sanitization of user controlled input,
an authorized but less-privileged user could potentially upload arbitrary code
to be executed by application scripts used by the SWG management console
potentially resulting in arbitrary command execution with application
privileges.
SWG in certain cases improperly validates/sanitizes external input allowing the
potential for an authorized access redirect bypass. By manipulating a weakness
in additional functionality of the console, an authorized but less-privileged
user may be able to bypass authorization checks and inject arbitrary commands
in the appliance OS with elevated privileges.
SWG fails to properly validate/sanitize certain external input allowing the
potential for reflected cross-site scripting attempts by both authorized but
non-privileged and in some instances unauthorized individuals who can entice a
logged in web console user to visit a malicious site. Successful targeting of
these issues could potentially result in the hijacking of an authorized
Symantec Web Gateway user session with associated privileges.
NOTE: In a normal installation, the Symantec Web Gateway management console
interface should never be accessible external to the authorized network.
However, an authorized but less-privileged network user or an external attacker
able to leverage network access could attempt to exploit these weaknesses.
Symantec Response
Symantec engineers validated these submissions. A Symantec Web Gateway data
base update, version 5.0.0.1277, has been released to address them. Symantec
Web Gateway latest data base update is currently available to customers through
normal support locations. Symantec is not aware of exploitation of or adverse
customer impact from these issues.
Customers should ensure they are on the latest release of Symantec Web Gateway
5.2.2 and running the latest data base update v5.0.0.1277 or later. To confirm
customers are running the latest updates check the
"Current Software Version -> Current Version" on theAdministration->Updates
page. Alternatively, customers can click the "Check for Updates" button on the
Administration->Updates page to verify that they are running the latest
software version.
Best Practices
As part of normal best practices, Symantec strongly recommends:
Restrict access to administration or management systems to privileged users.
Disable remote access if not required or restrict it to trusted/authorized
systems only.
Where possible, limit exposure of application and web interfaces to
trusted/internal networks only.
Keep all operating systems and applications updated with the latest vendor
patches.
The Symantec Web Gateway software and any applications that are installed on
the Symantec Web Gateway can ONLY be updated with authorized and tested
versions distributed by Symantec.
Follow a multi-layered approach to security. Run both firewall and anti-malware
applications, at a minimum, to provide multiple points of detection and
protection to both inbound and outbound threats.
Deploy network and host-based intrusion detection systems to monitor network
traffic for signs of anomalous or suspicious activity. This may aid in
detection of attacks or malicious activity related to exploitation of latent
vulnerabilities
Credit
Symantec thanks Jos Wetzels with LeakFree Security, as well as an anonymous
researcher working with HP's Zero Day Initiative (ZDI). We would also like to
thank ZDI for working with us as we resolved their findings.
Symantec thanks Daniel Jensen with Security-Assessment.com for submitting his
findings and working with us as we resolved them.
References
BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs
(BIDs) to these issues for inclusion in the Security Focus vulnerability
database.
CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.
CVE BID Description
CVE-2015-5690 76725 Unauthorized Redirect Bypass RCE
CVE-2015-5691 76728 Unauthenticated Reflected XSS in .php scripts
CVE-2015-5692 76726 Authenticated File Upload RCE
CVE-2015-5693 76731 Code Injection in Traffic Capture EoP
CVE-2015-6547 76730 Command Injection at Boot Time EoP
CVE-2015-6548 76729 Blind Time-based SQL Injection in .PHP script
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a security
issue in a Symantec product. A member of the Symantec Product Security team will
contact you regarding your submission to coordinate any required response.
Symantec strongly recommends using encrypted email for reporting vulnerability
information to secure@symantec.com. The Symantec Product Security PGP key can
be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the
process we follow in addressing suspected vulnerabilities in our products.
This document is available below.
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Product Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from secure@symantec.com
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and
secure@symantec.com are registered trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document are the
sole property of their respective companies/owners.
* Signature names may have been updated to comply with an updated IPS
Signature naming convention. See
http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST
for more information.
Last modified on: September 16, 2015
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVfo7MH6ZAP0PgtI9AQIWHw//V2rT7WKbt2yaZ7Dt5uYXwy1igwdZb3gK
PqxyN/pSey6SLsOYJiy+H/Loekoj5DiuVaiRo+HNTUnuUqdpPljAObkVV8xkkmlO
KGUoZwfKzEBtzCSqxupYycI1RLPlLds57a3xm2d5E107Uu6HP2bmaVj1KmjqjIDc
smmfqOcC2SRV3/G4a6NJeIiQTH7vSl8FRwL4LQKObra3Hfg4VOopQokUc6Ts2su0
y0zuLhA1PUUsZ9sNppRhR7Mm/cmqrAZvdEHEKl0Ai38o1msG9+IRIFLdFN5Fjybl
fISItJL/e4nQ4ta8YCIqUlgvUO6fNwHNb4gMciT51ERe4h78pYgCEmAe3XrGZFPb
cE51qMjmteafAxRIxlpoyQksX06mde4p22JdoYWzN2cEGIJ71iU5iW7/aEgQsq0H
a8P0F11ihcLgKW9cOcasdZrAlrXDQNMSZDVdBW11AoK02vKeb0FV0kQI+I140lKq
Wo9KsK0IU9yN4p0NvbS6rBbo637WmDaAQ2mcmeWgPitwmLTv1TWuUJffVD4J4uve
3GOQRD2apHj+aASdDFS6buni4hdM1UUWZaLX3k0QjocRJ3W1ldrZnkmodkwhEN0o
PfMXEf4VviIIeBaYBPHHGNwLT4mEgLFuiG0j+eUdaNY5yLnqgG+xZ1HC0fuZy/Ht
QLhEuAtXS5E=
=tMaV
-----END PGP SIGNATURE-----