Support Content Notification - Support Portal

Symantec Brightmail AntiSpam Multiple Vulnerabilities

Product/Component

AntiSpam

0 more products

Notification Id

1096

Last Updated

06 March 2020

Initial Publication Date

27 July 2006

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

SUMMARY

Multiple vulnerabilities have been reported in Symantec Brightmail AntiSpam. Confidential system information can be read or modified by combining these issues.

Risk Impact
Medium

Remote	Yes
Local	No
Authentication Required	No
Exploit publicly available	No

AFFECTED PRODUCTS

Product	Version	Build	Upgrade To
Symantec Brightmail AntiSpam (SBAS)	All	All	SMS for SMTP 5 or SBAS 6.0.4

ISSUES

Details
Symantec Brightmail AntiSpam fails to fully sanitize file names passed to the DATABLOB-GET / DATABLOB-SAVE requests of directory traversal Sequences. This directory traversal vulnerability could result in confidential system information being exposed.

During the installation of email scanners, three options are given for identifying the Brightmail AntiSpam Control Center that will control the scanner. The first option is a local Control Center; the second option is to identify the Control Center by its IP address; and the third option allows the Control Center to connect from any computer. The third option could allow an attacker to impersonate the Control Center, exposing the following vulnerabilities.

The Brightmail AntiSpam service can be hung by sending invalid posts, causing a Denial of Service.
By combining with the Directory Traversal vulnerability, some system files can be read.
By combining with the Directory Traversal vulnerability, it is possible to overwrite existing files on the same drive as Symantec Brightmail AntiSpam

MITIGATION

Symantec Response
Symantec advises all current SBAS customers to upgrade to Symantec Mail Security (SMS) for SMTP 5.0, which does not have this vulnerability. SMS for SMTP 5.0, Symantec's flagship gateway mail security software product, combines proven SBAS technology with significant new email security features. Information describing SMS for SMTP 5.0 is available at http://www.symantec.com/Products/enterprise?c=prodinfo&refId=845&cid=1011. All SBAS customers with current maintenance agreements are entitled to upgrade to SMS for SMTP 5.0 at no additional cost.

For customers unable to upgrade to SMS for SMTP 5.0, Symantec has created and released SBAS 6.0.4, a product update that addresses this vulnerability. SBAS 6.0.4 properly sanitizes all directory traversal input. The option to allow the SBAS Control Center to connect from any IP address has been eliminated. Customers can obtain SBAS 6.0.4 on Symantec FileConnect (https://fileconnect.symantec.com/selectlicenselang.html) using their SBAS license serial number.

ACKNOWLEDGEMENTS

Symantec would like to thank George A. Theall of Tenable Network Security, Inc. for reporting this issue and for providing coordination while Symantec resolved it.