Symantec Shuts Gateway Back Door

Tuesday, July 30, 2013 @ 06:07 PM gHale


Symantec fixed critical holes in its Web Gateway appliances which included a backdoor permitting remote code execution on targeted systems.

The flaws, created a means to execute code with root privileges – or the ability to take over a vulnerable appliance. Security researchers at Austrian firm SEC Consult found the flaws during a crash test.

RELATED STORIES
Backdoors Embedded into Image Files
Targeted Malware Attacks in Asia, Europe
Chinese APT Worked through Cloud
Espionage Campaign Uncovered

In an advisory note, SEC Consult Vulnerability Lab warns the flaws posed a huge spying risk to corporate users of Symantec’s technology, which should prevent malware and other threats from getting inside corporate networks.

Several of the discovered vulnerabilities can link together in order to run arbitrary commands with the privileges of the “root” user on the appliance, SEC Consult said.

An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can end up used to for more attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection is in use), including sensitive information like passwords and session cookies is possible, the company said.

If SSL Deep Inspection ends up enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company, SEC Consult said. If this private key ends up compromised by an attacker, arbitrary certificates are only a signature away.

SEC Consult identified six vulnerabilities with the technology, including, cross-site scripting; OS command injection; security misconfiguration; SQL Injection; and cross-site request forgery flaws.

Symantec learned about the flaw February 22 but published a security bulletin July 25. Sysadmins should update their technology to Symantec Web Gateway version 5.1.1.

Symantec said the update was available to customers either directly or through its channel partners.

“Symantec learned of potential security issues impacting the Symantec Web Gateway security appliance and has released an update to address them,” company officials said. “Symantec Web Gateway 5.1.1, which fully addresses these issues, is currently available to customers through normal support locations. We encourage customers to ensure they are on the latest release of Symantec Web Gateway.”



One Response to “Symantec Shuts Gateway Back Door”

  1. […] has recently patched critical flaws in their Web Gateway appliances that allowed for remote code execution. […]


Leave a Reply

You must be logged in to post a comment.