WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
SYM06-002
February 1, 2006
Symantec Sygate Management Server: SMS Authentication Servlet SQL Injection

Revision History
02/03/06 - added CVE identifier
02/07/06 - updated Credit section
02/09/06 - added Solaris build information
04/17/06 - added information on the availability of proof of concept code

Risk Impact
High

Remote AccessYes
Local AccessYes
Authentication RequiredNo
Exploit publicly availableYes

Overview

A SQL injection vulnerability in Symantec's Sygate Management Server (SMS) version 4.1, build 1417 and earlier could potentially allow a remote or local attacker to gain administrative privileges to the SMS server.

Affected Product(s)

ProductVersionPlatformBuildSolution
SMS (English)3.5WindowsMR 3 build 894 or earlierftp://SMS35b895@207.33.111.31
See Note
SMS (English)4.0WindowsMR 1 build 1104 and earlierftp://SMS40B1105@207.33.111.31
See Note
SolarisMR 1 build 1104 and earlier 
SMS (English)4.1WindowsMR 2 build 1417 and earlierftp://SSE41MR2@207.33.111.31
See Note
SolarisMR 2 build 1417 and earlier 
SMS 4.1 (Chinese)4.1 MR1 build 1351 and earlierftp://SMS1352c@207.33.111.31
See Note
SMS 4.1 GA (Japanese)4.1 GA build 1258 and earlierSee Note

Note: Please contact Technical Support to obtain the password needed to download these updates.

The Japanese version of SMS is distributed through Macnica Inc. Please contact your Macnica Support representative to obtain this update.

Details
Symantec was notified of a vulnerability in Symantec's Sygate Management Server. An attacker with network or local access to the SMS Server could inject code into a URL which would potentially allow the attacker to overwrite the password for any SMS account, including the SMS administrator account. If successful, the attacker could then use that new password to access the SMS console with full administrator privileges. This would allow the attacker to disable all agents, or to propagate an exploit script to all managed agents.

Symantec Response
Symantec engineers have verified that this vulnerability exists in the product versions listed above, and have provided updates to resolve the issue.

Upgrade Information
Fixed builds for this issue can be downloaded from the locations listed in the table above. Select your supported version of Symantec SMS and use the login credentials that were provided by Enterprise Support to download the appropriate update. If you need additional assistance, please contact Enterprise Support.

Note: Supported products will be updated to address this vulnerability. If you are using a product version or maintenance release earlier than those listed in the table above, you will need to upgrade to the most currently supported version of your product.

Mitigation
To help reduce the risks associated with this vulnerability until you are able to apply the patches or updates, Symantec recommends the following:

Restrict access to the SMS console by using its internal network ACL. Then, specify the IP addresses of valid administrators so they will have access to the console.

Restrict access to the vulnerable SMS applet by using IIS' ACL

Details on these mitigation steps are located in the same ftp location as the product builds.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends customers immediately apply the updates for their products to protect against possible attacks.

Note
Symantec is not aware of any customers impacted by this vulnerability. On April 13, 2006, proof of concept code to exploit this issue was made available.

CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems.

The CVE initiative has assigned CVE Candidate CVE-2006-0522 to this issue.

Credit
Symantec would like to thank Guillaume Goutaudier and Nicolas Gregoire at Exaprobe, SAS, France for reporting this issue, and working with us on the resolution.


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key


Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Initial Post on: Wednesday, 01-Feb-06 07:05:00
Last modified on: Monday, 17-Apr-06 22:22:00