Date: 19 June 2014
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Security Advisories Relating to Symantec Products - Symantec Web Gateway
19 June 2014
AusCERT Security Bulletin Summary
Product: Symantec Web Gateway
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
CVE Names: CVE-2014-1652 CVE-2014-1651 CVE-2014-1650
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisories Relating to Symantec Products - Symantec Web Gateway
June 16, 2014
CVSS2 Impact Exploitability CVSS2 Vector
Command Injection in SNMPConfig.php - High
7.9 10 5.5 AV:A/AC:M/Au:N/C:C/I:C/A:C
SQL Injection in user.php - Medium
6.8 9.2 4.4 AV:A/AC:M/Au:S/C:C/I:C/A:N
Blind SQLi in clientreport.php - Medium
4.7 4.9 6.5 AV:A/AC:L/Au:N/C:P/I:P/A:N
Reflected XSS in multiple report parameters -Medium
4.3 4.9 5.5 AV:A/AC:M/Au:S/C:P/I:P/A:N
Symantec Web Gateway (SWG) 5.2 Appliance management console is susceptible to
security issues. Successful exploitation could result in unauthorized command
execution on or access to the management console. There is also potential for
unauthorized backend database manipulation.
Product Version Solution
Symantec Web 5.2 and prior Symantec Web Gateway 5.2.1
NOTE: Customers should always ensure they are running the latest data base
Symantec was notified of security issues impacting the SWG management console
that could result in unauthorized access to management console functionality
and the backend database. The results of successful exploitation could
potentially range from unauthorized disclosure of sensitive data to possibly
unauthorized privileged access to the Symantec Web Gateway Appliance.
Unauthenticated arbitrary commands can potentially be injected into application
scripts accessible though the SWG consoles interface. Successful command
injection could result in arbitrary command execution with elevated privileges
on the web console.
SQL injection issues were identified allowing an authenticated SWG
administrator to make unauthorized database queries. Successful targeting
could potentially result in arbitrary SQL queries to the backend database
resulting in unauthorized disclosure of privileged information and/or possibly
unauthorized manipulation of the database.
Some report pages on SWG versions 5.1.x and prior do not properly
validate/sanitize external input allowing a blind SQL injection with the
potential to run an unauthorized arbitrary SQL query vice an authorized query.
The 5.1.x version is also impacted by reflected cross-site scripting.
Successful targeting of these XSS issues could result in hijacking the SWG user
session. Both of these were fully addressed in the release of SWG 5.2 so any
customers still on a 5.1.x release should migrate to the latest release
available which is 5.2.1.
In a normal installation, the Symantec Web Gateway management interface should
not be externally accessible from the network environment. However, an
authorized but unprivileged network user or an external attacker able to
successfully leverage network access could attempt to exploit these weaknesses.
Symantec engineers confirmed that some of these issues were addressed in the
5.2 release of Symantec Web Gateway and have released an update to 5.2 to
address additional findings. Symantec engineers continue to review related
functionality to further enhance the overall security of Symantec Web
Gateway. Symantec has released Symantec Web Gateway 5.2.1, currently
available to customers through normal support locations.
Customers should ensure they are on the latest release of Symantec Web Gateway
5.2.1 and running the latest data base update. To confirm customers are running
the latest updates check the "Current Software Version -> Current Version" on
the Administration->Updates page. Alternatively, customers can click
"Check for Updates" on the Administration->Updates page to verify that they are
running the latest software version.
As part of normal best practices, Symantec strongly recommends:
Restrict access to administration or management systems to privileged users.
Disable remote access if not required or restrict it to trusted/authorized
Where possible, limit exposure of application and web interfaces to
trusted/internal networks only.
Keep all operating systems and applications updated with the latest vendor
The Symantec Web Gateway software and any applications that are installed on
the Symantec Web Gateway can ONLY be updated with authorized and tested
versions distributed by Symantec.
Follow a multi-layered approach to security. Run both firewall and anti-malware
applications, at a minimum, to provide multiple points of detection and
protection to both inbound and outbound threats.
Deploy network and host-based intrusion detection systems to monitor network
traffic for signs of anomalous or suspicious activity. This may aid in
detection of attacks or malicious activity related to exploitation of latent
Symantec thanks Brandon Perry working through HP Zero Day Initiative (ZDI) for
submitting the command injection and SQL injection for SWG 5.2. Symantec
further thanks ZDI for working with us as we address them.
Symantec thanks Min1214 of INFOSEC Inc. (http://www.skinfosec.com/en/) working
through the Korean CERT, KR-CERT, and CERT.org for reporting the blind SQL
injection and the XSS in 5.1.x
BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs
(BIDs) to these issues for inclusion in the Security Focus vulnerability
CVE: These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.
CVE BID Description
CVE-2013-5017 BID 67752 Cmd Injection in SNMPConfig.php
CVE-2014-1650 BID 67753 SQLi in user.php
CVE-2014-1651 BID 67754 Blind SQLi in clientreport.php
CVE-2014-1652 BID 67755 Reflected XSS in multiple report parameters
Symantec takes the security and proper functionality of our products very
seriously. As founding members of the Organization for Internet Safety
(OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact email@example.com if you feel you have discovered a security
issue in a Symantec product. A member of the Symantec Product Security team
will contact you regarding your submission to coordinate any required
response. Symantec strongly recommends using encrypted email for reporting
vulnerability information to firstname.lastname@example.org. The Symantec Product
Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining
the process we follow in addressing suspected vulnerabilities in our products.
This document is available below.
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it
is not edited in any way unless authorized by Symantec Product Security.
Reprinting the whole or part of this alert in any medium other than
electronically requires permission from email@example.com
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and firstname.lastname@example.org
are registered trademarks of Symantec Corp. and/or affiliated companies in the
United States and other countries. All other registered and unregistered
trademarks represented in this document are the sole property of their
* Signature names may have been updated to comply with an updated IPS
Signature naming convention.
for more information.
Last modified on: June 16, 2014
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----