Multiple Holes in Symantec Web Gateway 5.2

Friday, June 20, 2014 @ 06:06 PM gHale


There are security issues in version 5.2 of Symantec Web Gateway (SWG) Appliance management console, which could lead to unauthorized privileged access to databases and hijacking of the user session.

The SQL injection vulnerability is in the hostname parameter of the clientreport.php page; and it was possible because of improper neutralization of special elements used in a SQL command.

RELATED STORIES
Cisco Clears Up XSS Vulnerability
New Exploit Kit Delivering Ransomware
Cisco Fixes WebEx Vulnerabilities
SCADA Hack Uncovered

The exploitable XSS flaw, present because of improper neutralization of input during web page generation, is in the filter_date_period, variable and operator parameters of the following pages: /spywall/entSummary.php, /spywall/custom_report.php, /spywall/host_spy_report.php, and /spywall/repairedclients.php.

Versions earlier than 5.2 also suffer from the issue and protection against blind SQL injection and reflected cross-site scripting can occur by updating the appliance to the newly released build, namely 5.2.1.

Running versions of the appliance vulnerable to the SQL injection could allow a potential attacker access to the management console, as well as the possibility to execute unauthorized commands. Moreover, successful exploitation of the issue could lead to unauthorized database modification.

In the case of the reflected cross-site-scripting problem, Symantec said exploitation could result in hijacking the Symantec Web Gateway (SWG) user session.

The company said normal installation of SWG does not provide access to the management interface from the network environment. “However, an authorized but unprivileged network user or an external attacker able to successfully leverage network access could attempt to exploit these weaknesses,” the Symantec said in a blog post.

Clients should make sure they’re running the latest version of the product in order to eliminate the risks.

“To confirm customers are running the latest updates check the ‘Current Software Version -> Current Version’ on the Administration->Updates page. Alternatively, customers can click ‘Check for Updates’ on the Administration->Updates page to verify that they are running the latest software version,” Symantec said.

Symantec Web Gateway is a solution to protect organizations against malicious code by relying on Insight reputation based malware filtering technology.

Some of the best practices designed to minimize the risk of unauthorized activity include limiting remote access to authorized systems only, or, if not necessary, disabling it completely.

Access to web interfaces should end up restricted to trusted networks and host-based intrusion detection systems should be set to check the network traffic for any suspicious activity.

Symantec credited Brandon Perry working through HP Zero Day Initiative (ZDI) for discovering the command injection and SQL injection for SWG 5.2., and Min1214 of INFOSEC Inc. for reporting the blind SQL injection and the XSS in 5.1.x.



Leave a Reply

You must be logged in to post a comment.