Date: 21 May 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Symantec Web Gateway Multiple Security Issues
21 May 2012
AusCERT Security Bulletin Summary
Product: Symantec Web Gateway
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
CVE Names: CVE-2012-0299 CVE-2012-0298 CVE-2012-0297
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisories Relating to Symantec Products - Symantec Web Gateway
Multiple Security Issues
May 17, 2012
CVSS2 Impact Exploitability CVSS2 Vector
Command injection code execution - High
8.33 10.0 6.45 AV:A/AC:L/Au:N/C:C/I:C/A:C
File include/command execution - High
7.77 9.2 4.65 AV:A/AC:L/Au:N/C:C/I:C/A:N
File download/deletion- Medium
6.1 6.9 6.5 AV:A/AC:L/Au:N/C:N/I:N/A:C
Cross-site scripting - Medium
4.33 4.93 5.54 AV:A/AC:M/Au:N/C:P/I:P/A:N
Symantec's Web Gateway management GUI is susceptible to file include command
injection/execution, file upload/execution and file download/deletion security
issues. The management GUI is also susceptible to cross-site scripting (XSS).
Successful exploitation could result in execution of arbitrary code in the
context of the application, denial of service through deletion of arbitrary
system files, and unauthorized access to users' data or to unauthorized
Product Version Solution
Symantec Web Gateway 5.0.x Symantec Web Gateway 5.0.3
Symantec was notified of multiple security issues impacting the management
console of the Symantec Web Gateway Appliance. The management interface does
not properly authenticate or filter external input. This could allow
unauthorized access to users session or network information. As a result of
weak authentication and sanitization of user controlled input, arbitrary code
could potentially be injected/included in application scripts used by the
Symantec Web Gateway application potentially resulting in arbitrary command
execution with application privileges.
Additionally, file management scripts in the Symantec Web Gateway interface do
not properly filter user input, potentially resulting in an unauthenticated,
unprivileged user downloading and deleting arbitrary files including essential
operational files. This could render the targeted system unavailable or
unusable depending on the success of such an attempt and files targeted. An
unauthenticated, unprivileged user could also upload arbitrary code through the
abuse of management scripts. A malicious user could be able to control the
file name and location which could potentially result in arbitrary command
execution with elevated privileges.
Cross-site scripting vulnerabilities were also reported in the Symantec Web
Gateway Management Interface. Cross-site scripting is a trust exploitation
generally requiring enticing a authenticated user to click on a malicious link.
A successful exploitation, depending on the nature of the link, could
potentially result in arbitrary java/html requests and scripts executed in the
context of the targeted user.
In a normal installation, the Symantec Web Gateway management interface should
not be accessible external to the network. However, an authorized but
unprivileged network user or an external attacker able to leverage network
access could attempt to exploit these weaknesses.
Symantec engineers verified these issues and have released an update to address
them. Symantec engineers reviewed related functionality to further enhance the
overall security of Symantec Web Gateway. Symantec has released Symantec Web
Gateway 5.0.3, currently available to customers through normal update channels.
Symantec is not aware of any exploitation of, or adverse customer impact from
As part of normal best practices, Symantec strongly recommends:
* Restrict access to administration or management systems to privileged users.
* Disable remote access or restrict it to trusted/authorized systems only.
* Keep all operating systems and applications updated with the latest vendor
* Follow a multi-layered approach to security. Run both firewall and
anti-malware applications, at a minimum, to provide multiple points of
detection and protection to both inbound and outbound threats.
* Deploy network and host-based intrusion detection systems to monitor network
traffic for signs of anomalous or suspicious activity. This may aid in
detection of attacks or malicious activity related to exploitation of latent
Symantec credits Tenable Network Security working through TippingPoints ZeroDay
Initiative for reporting file include, command injection/execution and file
download/deletion and upload/execution issues.
Symantec credits an anonymous contributor working with Beyond Security's
SecuriTeam Secure Disclosure project (http://www.beyondsecurity.com/ssd.html
for reporting file include, command injection/execution; file download/deletion
and upload/execution issues.
Symantec credits Ajay Pal Singh Atwal and an anonymous finder for reporting the
cross-site scripting issues.
BID: Security Focus, http://www.securityfocus.com, has assigned the following
Bugtraq IDs (BID) to these issues for inclusion in the Security Focus
BID 53444 to the file include/command execution issues
BID 53442 to the file download/deletion issues
BID 53443 to the file upload/OS command execution issue
BID 53396 to the XSS issues
CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems. The
following CVE IDs have been assigned.
CVE-2012-0297 to the file include/command execution issues
CVE-2012-0298 to the file download/deletion issues
CVE-2012-0299 to the file upload/OS command execution issues
CVE-2012-0296 to the XSS issues
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact firstname.lastname@example.org if you feel you have discovered a security
issue in a Symantec product. A member of the Symantec Product Security team
will contact you regarding your submission to coordinate any required response.
Symantec strongly recommends using encrypted email for reporting vulnerability
information to email@example.com. The Symantec Product Security PGP key can
be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the
process we follow in addressing suspected vulnerabilities in our products. This
document is available below. Symantec Vulnerability Response Policy Symantec
Product Vulnerability Management PGP Key
Copyright (c) 2012 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Product Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and email@example.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the
United States and other countries. All other registered and unregistered
trademarks represented in this document are the sole property of their
* Signature names may have been updated to comply with an updated IPS Signature
naming convention. See http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST for more information.
Last modified on: May 17, 2012
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----