Symantec Messaging Gateway version 9.5.x suffers from a vendor-supplied backdoor vulnerability. By default the 'support' user is enabled and uses an insecure password. This user is not visible in the web interface and therefore cannot be disabled. As the appliance provides a SSH daemon on all interfaces, this account can be used to gain remote shell access on the device.
d327098479a9098d90ac2ea33a247a5c26c17c8e26b8959dee707097e490d059
SEC Consult Vulnerability Lab Security Advisory < 20120829-0 >
=======================================================================
title: Support Backdoor
product: Symantec Messaging Gateway
vulnerable version: 9.5.x
fixed version: 10.0
CVE number: CVE-2012-3579
impact: Critical
homepage: http://www.symantec.com
found: 2012-06-26
by: S. Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
-----------------------------
"Symantec Messaging Gateway powered by Brightmail, delivers inbound and outbound
messaging security, with effective and accurate real-time antispam and antivirus
protection, advanced content filtering, data loss prevention, and email
encryption. Messaging Gateway is simple to administer and catches more than 99%
of spam with less than one in a million false positives. Defend your email
perimeter, and quickly respond to new messaging threats with this market leading
messaging security solution."
URL: http://www.symantec.com/messaging-gateway
Vulnerability overview/description:
-----------------------------------
By default the 'support' user is enabled and uses an insecure password. This
user is not visible in the web interface and therefore cannot be disabled.
As the appliance provides a SSH daemon on all interfaces, this account can be
used to gain remote shell access on the device.
Proof of concept:
-----------------
Connect to the appliance via SSH with the following credentials:
support:*removed*
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the Symantec Mail Gateway version
9.5.4-4, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2012-07-11: Contacting vendor through secure@symantec.com
2012-07-11: Vendor response - will forward it to product team for validation
2012-07-25: Update to SMG is being finalized, release date will be coordinated
2012-08-27: Vendor releases advisory and new version.
2012-08-29: SEC Consult releases security advisory
Solution:
---------
Update to the latest release of Symantec Messaging Gateway 10.0.
More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00
Workaround:
-----------
Restrict SSH access to the Symantec Mail Gateway or change the password of
the 'support' user.
Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
EOF S. Viehböck / @2012