SEC Consult Vulnerability Lab Security Advisory < 20120829-0 > ======================================================================= title: Support Backdoor product: Symantec Messaging Gateway vulnerable version: 9.5.x fixed version: 10.0 CVE number: CVE-2012-3579 impact: Critical homepage: http://www.symantec.com found: 2012-06-26 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Messaging Gateway powered by Brightmail, delivers inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption. Messaging Gateway is simple to administer and catches more than 99% of spam with less than one in a million false positives. Defend your email perimeter, and quickly respond to new messaging threats with this market leading messaging security solution." URL: http://www.symantec.com/messaging-gateway Vulnerability overview/description: ----------------------------------- By default the 'support' user is enabled and uses an insecure password. This user is not visible in the web interface and therefore cannot be disabled. As the appliance provides a SSH daemon on all interfaces, this account can be used to gain remote shell access on the device. Proof of concept: ----------------- Connect to the appliance via SSH with the following credentials: support:*removed* Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in the Symantec Mail Gateway version 9.5.4-4, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2012-07-11: Contacting vendor through secure@symantec.com 2012-07-11: Vendor response - will forward it to product team for validation 2012-07-25: Update to SMG is being finalized, release date will be coordinated 2012-08-27: Vendor releases advisory and new version. 2012-08-29: SEC Consult releases security advisory Solution: --------- Update to the latest release of Symantec Messaging Gateway 10.0. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00 Workaround: ----------- Restrict SSH access to the Symantec Mail Gateway or change the password of the 'support' user. Advisory URL: -------------- https://www.sec-consult.com/en/advisories.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2012