Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

               Symantec Web Gateway Multiple Security Issues
                              29 August 2012


        AusCERT Security Bulletin Summary

Product:           Symantec Messaging Gateway
Publisher:         Symantec
Operating System:  Network Appliance
                   VMWare ESX Server
Impact/Access:     Increased Privileges       -- Remote/Unauthenticated      
                   Access Privileged Data     -- Remote/Unauthenticated      
                   Modify Arbitrary Files     -- Existing Account            
                   Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-3581 CVE-2012-3580 CVE-2012-3579
                   CVE-2012-0308 CVE-2012-0307 

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories Relating to Symantec Products - Symantec Messaging
Gateway Security Issues


August 27, 2012



CVSS2          Impact       Exploitability   CVSS2 Vector
Base Score

Cross Site Scripting Request Forgery (CSRF) Backdoor - High
9.3            10           8.6              AV:N/AC:M/Au:N/C:C/I:C/A:C

SSH Account Default Password Elevation of Privilege - High
7.9            10           5.5              AV:A/AC:M/Au:N/C:C/I:C/A:C

Web Application Modification - High
7.7            10           5.1              AV:A/AC:L/Au:S/C:C/I:C/A:C

Cross Site Scripting (XSS) Code Execution - High
7.5            6.4          10               AV:N/AC:L/Au:N/C:P/I:P/A:P

Information Disclosure - Low
3.3            2.9          6.5              AV:A/AC:L/Au:N/C:P/I:N/A:N


   Symantec's Messaging Gateway management console is susceptible to
   several security issues including cross-site scripting/cross-site
   request forgery, an SSH account with a default password and potential
   web application modifications.   Successful exploitation could result
   in unauthorized command execution on or access to the management
   console and the operating system.

Product(s) Affected

   Product                     Version  Solution
   Symantec Messaging Gateway  9.5.x    Symantec Messaging Gateway 10.0


   Symantec was notified of several security issues impacting Symantec's
   Messaging Gateway management console.  Issues the affected versions of
   Symantec Messaging Gateway may be susceptible to include:
     * Multiple XSS issues as a result of insufficient
       validation/sanitation of external web or incoming malicious email
     * A CSRF issue that, successfully exploited, could potentially allow
       unauthorized administrative access.
     * An SSH default passworded account that could potentially be
       leveraged by an unprivileged user to attempt to gain additional
       privilege access.
     * The capability to potentially modify the underlying web application
       with elevated privileges once attacker has gained initial access to
       the Symantec Messaging Gateway management interface.
     * The affected applications disclose excessive component versioning
       information during successful reconnaissance that could potentially
       be leveraged in future unauthorized access attempts.

   In a normal installation, neither the Symantec Messaging Gateway
   appliance management interface nor the system hosting the software
   application would be externally accessible from the network environment
   nor used to access external web sites.  These restrictions reduce
   exposure to the majority of these issues from external sources.
   However, an authorized but unprivileged network user or an external
   attacker able to successfully leverage network access or entice an
   authorized user to access a malicious URL could attempt to exploit
   these issues.

Symantec Response

   Symantec engineers verified the issues and released an update to
   address them. Symantec engineers continue to review all functionality
   to further enhance the overall security of Symantec Messaging Gateway.
   Symantec strongly recommends Symantec Messaging Gateway customers
   update to the latest release of Symantec Messaging Gateway 10.0 at
   their earliest opportunity to protect from any attempts to target these
   types of issues.  Symantec knows of no exploitation of or adverse
   customer impact from this issue.

   Symantec Messaging Gateway 10.0 is currently available through normal
   update channels.

Best Practices

   As part of normal best practices, Symantec strongly recommends:
     * Restrict access to administration or management systems to
       privileged users.
     * Disable remote access if not required or restrict it to
       trusted/authorized systems only.
     * Where possible, limit exposure of application and web interfaces to
       trusted/internal networks only.
     * Keep all operating systems and applications updated with the latest
       vendor patches.
     * Follow a multi-layered approach to security. Run both firewall and
       anti-malware applications, at a minimum, to provide multiple points
       of detection and protection to both inbound and outbound threats.
     * Deploy network and host-based intrusion detection systems to
       monitor network traffic for signs of anomalous or suspicious
       activity. This may aid in detection of attacks or malicious
       activity related to exploitation of latent vulnerabilities


   Symantec credits Ben Williams with NGS Secure, [91]NCC Group  for
   reporting these issues to us and coordinating with us as we resolved

   Symantec credits Stefan Viehböck, with SEC Consult
   www.sec-consult.com for also reporting the SSH default password


   BID: Security Focus, [93]http://www.securityfocus.com, has assigned
   Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus
   vulnerability database.

   CVE: These issues are candidates for inclusion in the CVE list
   ([94]http://cve.mitre.org), which standardizes names for security

   CVE            BID        Description

   CVE-2012-0307  BID 55138  Cross-Site Scripting (XSS) issues
   CVE-2012-0308  BID 55137  Cross-Site Scripting Request Forgery (CSRF) Backdoor
   CVE-2012-3579  BID 55143  SSH Account Default Password
   CVE-2012-3580  BID 55141  Web Application Modification
   CVE-2012-3581  BID 55142  Information Disclosure

   Symantec takes the security and proper functionality of our products
   very seriously. As founding members of the Organization for Internet
   Safety (OISafety), Symantec supports and follows responsible disclosure
   Please contact secure@symantec.com if you feel you have discovered
   a security issue in a Symantec product. A member of the Symantec
   Product Security team will contact you regarding your submission to
   coordinate any required response. Symantec strongly recommends using
   encrypted email for reporting vulnerability information to
   secure@symantec.com. The Symantec Product Security PGP key can be
   found at the location below.
   Symantec has developed a Product Vulnerability Response document
   outlining the process we follow in addressing suspected vulnerabilities
   in our products. This document is available below.
   Symantec Vulnerability Response Policy
   Symantec Product Vulnerability Management PGP Key Symantec Product
   Vulnerability Management PGP Key

Copyright (c) by Symantec Corp.

   Permission to redistribute this alert electronically is granted as long
   as it is not edited in any way unless authorized by Symantec Product
   Security. Reprinting the whole or part of this alert in any medium
   other than electronically requires permission from


   The information in the advisory is believed to be accurate at the time
   of publishing based on currently available information. Use of the
   information constitutes acceptance for use in an AS IS condition. There
   are no warranties with regard to this information. Neither the author
   nor the publisher accepts any liability for any direct, indirect, or
   consequential loss or damage arising from use of, or reliance on, this
   Symantec, Symantec products, Symantec Product Security, and
   secure@symantec.com are registered trademarks of Symantec Corp.
   and/or affiliated companies in the United States and other countries.
   All other registered and unregistered trademarks represented in this
   document are the sole property of their respective companies/owners.
   * Signature names may have been updated to comply with an updated IPS
   Signature naming convention. See
   for more information.
   Last modified on: August 27, 2012

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967