Support Backdoor in Symantec Messaging Gateway

SEC Consult Vulnerability Lab Security Advisory < 20120829-0 >

=======================================================================

title: Support Backdoor

product: Symantec Messaging Gateway

vulnerable version: 9.5.x

fixed version: 10.0

CVE number: CVE-2012-3579

impact: Critical

homepage: www.symantec.com

found: 2012-06-26

by: S. Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor/product description:

-----------------------------

"Symantec Messaging Gateway powered by Brightmail, delivers inbound and outbound

messaging security, with effective and accurate real-time antispam and antivirus

protection, advanced content filtering, data loss prevention, and email

encryption. Messaging Gateway is simple to administer and catches more than 99%

of spam with less than one in a million false positives. Defend your email

perimeter, and quickly respond to new messaging threats with this market leading

messaging security solution."

URL: www.symantec.com/messaging-gateway

 

Vulnerability overview/description:

-----------------------------------

By default the 'support' user is enabled and uses an insecure password. This

user is not visible in the web interface and therefore cannot be disabled.

As the appliance provides a SSH daemon on all interfaces, this account can be

used to gain remote shell access on the device.

 

Proof of concept:

-----------------

Connect to the appliance via SSH with the following credentials:

support:*removed*

 

Vulnerable / tested versions:

-----------------------------

The vulnerability has been verified to exist in the Symantec Mail Gateway version

9.5.4-4, which was the most recent version at the time of discovery.

 

Vendor contact timeline:

------------------------

2012-07-11: Contacting vendor through secure@symantec.com

2012-07-11: Vendor response - will forward it to product team for validation

2012-07-25: Update to SMG is being finalized, release date will be coordinated

2012-08-27: Vendor releases advisory and new version.

2012-08-29: SEC Consult releases security advisory

 

Solution:

---------

Update to the latest release of Symantec Messaging Gateway 10.0.

More information can be found at:

www.symantec.com/security_response/securityupdates/detail.jsp

 

Workaround:

-----------

Restrict SSH access to the Symantec Mail Gateway or change the password of

the 'support' user.

 

Advisory URL:

--------------

www.sec-consult.com/en/advisories.html

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF S. Viehböck / @2012