=======================================================================
title: Support Backdoor
product: Symantec Messaging Gateway
vulnerable version: 9.5.x
fixed version: 10.0
CVE number: CVE-2012-3579
impact: Critical
homepage: http://www.symantec.com
found: 2012-06-26
by: S. Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
-----------------------------
"Symantec Messaging Gateway powered by Brightmail, delivers inbound and outbound
messaging security, with effective and accurate real-time antispam and antivirus
protection, advanced content filtering, data loss prevention, and email
encryption. Messaging Gateway is simple to administer and catches more than 99%
of spam with less than one in a million false positives. Defend your email
perimeter, and quickly respond to new messaging threats with this market leading
messaging security solution."
URL: http://www.symantec.com/messaging-gateway
Vulnerability overview/description:
-----------------------------------
By default the 'support' user is enabled and uses an insecure password. This
user is not visible in the web interface and therefore cannot be disabled.
As the appliance provides a SSH daemon on all interfaces, this account can be
used to gain remote shell access on the device.
Proof of concept:
-----------------
Connect to the appliance via SSH with the following credentials:
support:*removed*
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the Symantec Mail Gateway version
9.5.4-4, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2012-07-11: Contacting vendor through secure (at) symantec (dot) com [email concealed]
2012-07-11: Vendor response - will forward it to product team for validation
2012-07-25: Update to SMG is being finalized, release date will be coordinated
2012-08-27: Vendor releases advisory and new version.
2012-08-29: SEC Consult releases security advisory
Solution:
---------
Update to the latest release of Symantec Messaging Gateway 10.0.
More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid
=security_advisory&pvid=security_advisory&suid=20120827_00
Workaround:
-----------
Restrict SSH access to the Symantec Mail Gateway or change the password of
the 'support' user.
Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
EOF S. Viehböck / @2012
title: Support Backdoor
product: Symantec Messaging Gateway
vulnerable version: 9.5.x
fixed version: 10.0
CVE number: CVE-2012-3579
impact: Critical
homepage: http://www.symantec.com
found: 2012-06-26
by: S. Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
-----------------------------
"Symantec Messaging Gateway powered by Brightmail, delivers inbound and outbound
messaging security, with effective and accurate real-time antispam and antivirus
protection, advanced content filtering, data loss prevention, and email
encryption. Messaging Gateway is simple to administer and catches more than 99%
of spam with less than one in a million false positives. Defend your email
perimeter, and quickly respond to new messaging threats with this market leading
messaging security solution."
URL: http://www.symantec.com/messaging-gateway
Vulnerability overview/description:
-----------------------------------
By default the 'support' user is enabled and uses an insecure password. This
user is not visible in the web interface and therefore cannot be disabled.
As the appliance provides a SSH daemon on all interfaces, this account can be
used to gain remote shell access on the device.
Proof of concept:
-----------------
Connect to the appliance via SSH with the following credentials:
support:*removed*
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the Symantec Mail Gateway version
9.5.4-4, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2012-07-11: Contacting vendor through secure (at) symantec (dot) com [email concealed]
2012-07-11: Vendor response - will forward it to product team for validation
2012-07-25: Update to SMG is being finalized, release date will be coordinated
2012-08-27: Vendor releases advisory and new version.
2012-08-29: SEC Consult releases security advisory
Solution:
---------
Update to the latest release of Symantec Messaging Gateway 10.0.
More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid
=security_advisory&pvid=security_advisory&suid=20120827_00
Workaround:
-----------
Restrict SSH access to the Symantec Mail Gateway or change the password of
the 'support' user.
Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
EOF S. Viehböck / @2012
