exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Symantec Messaging Gateway 9.5.x Support Backdoor

Symantec Messaging Gateway 9.5.x Support Backdoor
Posted Aug 30, 2012
Authored by Stefan Viehboeck | Site sec-consult.com

Symantec Messaging Gateway version 9.5.x suffers from a vendor-supplied backdoor vulnerability. By default the 'support' user is enabled and uses an insecure password. This user is not visible in the web interface and therefore cannot be disabled. As the appliance provides a SSH daemon on all interfaces, this account can be used to gain remote shell access on the device.

tags | advisory, remote, web, shell
SHA-256 | d327098479a9098d90ac2ea33a247a5c26c17c8e26b8959dee707097e490d059

Symantec Messaging Gateway 9.5.x Support Backdoor

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20120829-0 >
=======================================================================
title: Support Backdoor
product: Symantec Messaging Gateway
vulnerable version: 9.5.x
fixed version: 10.0
CVE number: CVE-2012-3579
impact: Critical
homepage: http://www.symantec.com
found: 2012-06-26
by: S. Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
"Symantec Messaging Gateway powered by Brightmail, delivers inbound and outbound
messaging security, with effective and accurate real-time antispam and antivirus
protection, advanced content filtering, data loss prevention, and email
encryption. Messaging Gateway is simple to administer and catches more than 99%
of spam with less than one in a million false positives. Defend your email
perimeter, and quickly respond to new messaging threats with this market leading
messaging security solution."

URL: http://www.symantec.com/messaging-gateway


Vulnerability overview/description:
-----------------------------------
By default the 'support' user is enabled and uses an insecure password. This
user is not visible in the web interface and therefore cannot be disabled.
As the appliance provides a SSH daemon on all interfaces, this account can be
used to gain remote shell access on the device.


Proof of concept:
-----------------
Connect to the appliance via SSH with the following credentials:
support:*removed*


Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the Symantec Mail Gateway version
9.5.4-4, which was the most recent version at the time of discovery.


Vendor contact timeline:
------------------------
2012-07-11: Contacting vendor through secure@symantec.com
2012-07-11: Vendor response - will forward it to product team for validation
2012-07-25: Update to SMG is being finalized, release date will be coordinated
2012-08-27: Vendor releases advisory and new version.
2012-08-29: SEC Consult releases security advisory



Solution:
---------
Update to the latest release of Symantec Messaging Gateway 10.0.

More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00


Workaround:
-----------
Restrict SSH access to the Symantec Mail Gateway or change the password of
the 'support' user.


Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


EOF S. Viehböck / @2012
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close