Symantec Sygate Management Server: SMS Authentication Servlet SQL Injection

1085

06 March 2020

01 February 2006

CLOSED

HIGH

7.5

SUMMARY

 

A SQL injection vulnerability in Symantec's Sygate Management Server (SMS) version 4.1, build 1417 and earlier could potentially allow a remote or local attacker to gain administrative privileges to the SMS server.

Risk Impact
High

Remote Access

Yes

Local Access

Yes

Authentication Required

No

Exploit publicly available

Yes

 

AFFECTED PRODUCTS

 

Product

Version

Platform

Build

Solution

SMS (English)

3.5

Windows

MR 3 build 894 or earlier

ftp://[email protected]
See Note

SMS (English)

4.0

Windows

MR 1 build 1104 and earlier

ftp://[email protected]
See Note

Solaris

MR 1 build 1104 and earlier

 

SMS (English)

4.1

Windows

MR 2 build 1417 and earlier

ftp://[email protected]
See Note

Solaris

MR 2 build 1417 and earlier

 

SMS 4.1 (Chinese)

4.1

 

MR1 build 1351 and earlier

ftp://[email protected]
See Note

SMS 4.1 GA (Japanese)

4.1

 

GA build 1258 and earlier

See Note


Note: Please contact Technical Support to obtain the password needed to download these updates.

The Japanese version of SMS is distributed through Macnica Inc. Please contact your Macnica Support representative to obtain this update.

ISSUES

 

Details
Symantec was notified of a vulnerability in Symantec's Sygate Management Server. An attacker with network or local access to the SMS Server could inject code into a URL which would potentially allow the attacker to overwrite the password for any SMS account, including the SMS administrator account. If successful, the attacker could then use that new password to access the SMS console with full administrator privileges. This would allow the attacker to disable all agents, or to propagate an exploit script to all managed agents.

CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems.

The CVE initiative has assigned CVE Candidate t to this issue.

MITIGATION

 

Symantec Response
Symantec engineers have verified that this vulnerability exists in the product versions listed above, and have provided updates to resolve the issue.

Upgrade Information
Fixed builds for this issue can be downloaded from the locations listed in the table above. Select your supported version of Symantec SMS and use the login credentials that were provided by Enterprise Support to download the appropriate update. If you need additional assistance, please contact Enterprise Support.

Note: Supported products will be updated to address this vulnerability. If you are using a product version or maintenance release earlier than those listed in the table above, you will need to upgrade to the most currently supported version of your product.

Mitigation
To help reduce the risks associated with this vulnerability until you are able to apply the patches or updates, Symantec recommends the following:

Restrict access to the SMS console by using its internal network ACL. Then, specify the IP addresses of valid administrators so they will have access to the console.

Restrict access to the vulnerable SMS applet by using IIS' ACL

Details on these mitigation steps are located in the same ftp location as the product builds.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends customers immediately apply the updates for their products to protect against possible attacks.

Note
Symantec is not aware of any customers impacted by this vulnerability. On April 13, 2006, proof of concept code to exploit this issue was made available

ACKNOWLEDGEMENTS

 

Symantec would like to thank Guillaume Goutaudier and Nicolas Gregoire at Exaprobe, SAS, France for reporting this issue, and working with us on the resolution

REVISION

 

Revision History
02/03/06 - added CVE identifier
02/07/06 - updated Credit section
02/09/06 - added Solaris build information
04/17/06 - added information on the availability of proof of concept code