what you don't know can hurt you

Symantec Messaging Gateway 9.5.x Support Backdoor

Symantec Messaging Gateway 9.5.x Support Backdoor
Posted Aug 30, 2012
Authored by Stefan Viehbock | Site sec-consult.com

Symantec Messaging Gateway version 9.5.x suffers from a vendor-supplied backdoor vulnerability. By default the 'support' user is enabled and uses an insecure password. This user is not visible in the web interface and therefore cannot be disabled. As the appliance provides a SSH daemon on all interfaces, this account can be used to gain remote shell access on the device.

tags | advisory, remote, web, shell
MD5 | 2abb36076a2b7977e7a2ddc3ed3ed632

Symantec Messaging Gateway 9.5.x Support Backdoor

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20120829-0 >
=======================================================================
title: Support Backdoor
product: Symantec Messaging Gateway
vulnerable version: 9.5.x
fixed version: 10.0
CVE number: CVE-2012-3579
impact: Critical
homepage: http://www.symantec.com
found: 2012-06-26
by: S. Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
"Symantec Messaging Gateway powered by Brightmail, delivers inbound and outbound
messaging security, with effective and accurate real-time antispam and antivirus
protection, advanced content filtering, data loss prevention, and email
encryption. Messaging Gateway is simple to administer and catches more than 99%
of spam with less than one in a million false positives. Defend your email
perimeter, and quickly respond to new messaging threats with this market leading
messaging security solution."

URL: http://www.symantec.com/messaging-gateway


Vulnerability overview/description:
-----------------------------------
By default the 'support' user is enabled and uses an insecure password. This
user is not visible in the web interface and therefore cannot be disabled.
As the appliance provides a SSH daemon on all interfaces, this account can be
used to gain remote shell access on the device.


Proof of concept:
-----------------
Connect to the appliance via SSH with the following credentials:
support:*removed*


Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the Symantec Mail Gateway version
9.5.4-4, which was the most recent version at the time of discovery.


Vendor contact timeline:
------------------------
2012-07-11: Contacting vendor through secure@symantec.com
2012-07-11: Vendor response - will forward it to product team for validation
2012-07-25: Update to SMG is being finalized, release date will be coordinated
2012-08-27: Vendor releases advisory and new version.
2012-08-29: SEC Consult releases security advisory



Solution:
---------
Update to the latest release of Symantec Messaging Gateway 10.0.

More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00


Workaround:
-----------
Restrict SSH access to the Symantec Mail Gateway or change the password of
the 'support' user.


Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


EOF S. Viehböck / @2012

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close