Symantec Brightmail AntiSpam Multiple Vulnerabilities
SUMMARY
Multiple vulnerabilities have been reported in Symantec Brightmail AntiSpam. Confidential system information can be read or modified by combining these issues.
Risk Impact
Medium
Remote |
Yes |
Local |
No |
Authentication Required |
No |
Exploit publicly available |
No |
AFFECTED PRODUCTS
Product |
Version |
Build |
Upgrade To |
Symantec Brightmail AntiSpam (SBAS) |
All |
All |
SMS for SMTP 5 or SBAS 6.0.4 |
ISSUES
Details
Symantec Brightmail AntiSpam fails to fully sanitize file names passed to the DATABLOB-GET / DATABLOB-SAVE requests of directory traversal Sequences. This directory traversal vulnerability could result in confidential system information being exposed.
During the installation of email scanners, three options are given for identifying the Brightmail AntiSpam Control Center that will control the scanner. The first option is a local Control Center; the second option is to identify the Control Center by its IP address; and the third option allows the Control Center to connect from any computer. The third option could allow an attacker to impersonate the Control Center, exposing the following vulnerabilities.
- The Brightmail AntiSpam service can be hung by sending invalid posts, causing a Denial of Service.
- By combining with the Directory Traversal vulnerability, some system files can be read.
- By combining with the Directory Traversal vulnerability, it is possible to overwrite existing files on the same drive as Symantec Brightmail AntiSpam
MITIGATION
Symantec Response
Symantec advises all current SBAS customers to upgrade to Symantec Mail Security (SMS) for SMTP 5.0, which does not have this vulnerability. SMS for SMTP 5.0, Symantec's flagship gateway mail security software product, combines proven SBAS technology with significant new email security features. Information describing SMS for SMTP 5.0 is available at http://www.symantec.com/Products/enterprise?c=prodinfo&refId=845&cid=1011. All SBAS customers with current maintenance agreements are entitled to upgrade to SMS for SMTP 5.0 at no additional cost.
For customers unable to upgrade to SMS for SMTP 5.0, Symantec has created and released SBAS 6.0.4, a product update that addresses this vulnerability. SBAS 6.0.4 properly sanitizes all directory traversal input. The option to allow the SBAS Control Center to connect from any IP address has been eliminated. Customers can obtain SBAS 6.0.4 on Symantec FileConnect (https://fileconnect.symantec.com/selectlicenselang.html) using their SBAS license serial number.
ACKNOWLEDGEMENTS
Symantec would like to thank George A. Theall of Tenable Network Security, Inc. for reporting this issue and for providing coordination while Symantec resolved it.