Symantec Security ResponseSMNTC-1085Symantec Sygate Management Server: SMS Authentication Servlet SQL Injection
EPSS
Percentile
77.2%
SUMMARY
A SQL injection vulnerability in Symantec’s Sygate Management Server (SMS) version 4.1, build 1417 and earlier could potentially allow a remote or local attacker to gain administrative privileges to the SMS server.
Risk Impact
High
Remote Access
|
Yes
—|—
Local Access
|
Yes
Authentication Required
|
No
Exploit publicly available
|
Yes
AFFECTED PRODUCTS
Product
|
Version
|
Platform
|
Build
|
Solution
—|—|—|—|—
SMS (English)
|
3.5
|
Windows
|
MR 3 build 894 or earlier
|
ftp://[email protected]
See Note
SMS (English)
|
4.0
|
Windows
|
MR 1 build 1104 and earlier
|
ftp://[email protected]
See Note
Solaris
|
MR 1 build 1104 and earlier
|
SMS (English)
|
4.1
|
Windows
|
MR 2 build 1417 and earlier
|
ftp://[email protected]
See Note
Solaris
|
MR 2 build 1417 and earlier
|
SMS 4.1 (Chinese)
|
4.1
|
|
MR1 build 1351 and earlier
|
ftp://[email protected]
See Note
SMS 4.1 GA (Japanese)
|
4.1
|
|
GA build 1258 and earlier
|
See Note
Note: Please contact Technical Support to obtain the password needed to download these updates.
The Japanese version of SMS is distributed through Macnica Inc. Please contact your Macnica Support representative to obtain this update.
ISSUES
Details
Symantec was notified of a vulnerability in Symantec’s Sygate Management Server. An attacker with network or local access to the SMS Server could inject code into a URL which would potentially allow the attacker to overwrite the password for any SMS account, including the SMS administrator account. If successful, the attacker could then use that new password to access the SMS console with full administrator privileges. This would allow the attacker to disable all agents, or to propagate an exploit script to all managed agents.
CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (<http://cve.mitre.org>), which standardizes names for security problems.
The CVE initiative has assigned CVE Candidate t to this issue.
MITIGATION
Symantec Response
Symantec engineers have verified that this vulnerability exists in the product versions listed above, and have provided updates to resolve the issue.
Upgrade Information
Fixed builds for this issue can be downloaded from the locations listed in the table above. Select your supported version of Symantec SMS and use the login credentials that were provided by Enterprise Support to download the appropriate update. If you need additional assistance, please contact Enterprise Support.
Note: Supported products will be updated to address this vulnerability. If you are using a product version or maintenance release earlier than those listed in the table above, you will need to upgrade to the most currently supported version of your product.
Mitigation
To help reduce the risks associated with this vulnerability until you are able to apply the patches or updates, Symantec recommends the following:
Restrict access to the SMS console by using its internal network ACL. Then, specify the IP addresses of valid administrators so they will have access to the console.
Restrict access to the vulnerable SMS applet by using IIS’ ACL
Details on these mitigation steps are located in the same ftp location as the product builds.
As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends customers immediately apply the updates for their products to protect against possible attacks.
Note
Symantec is not aware of any customers impacted by this vulnerability. On April 13, 2006, proof of concept code to exploit this issue was made available
ACKNOWLEDGEMENTS
Symantec would like to thank Guillaume Goutaudier and Nicolas Gregoire at Exaprobe, SAS, France for reporting this issue, and working with us on the resolution
REVISION
Revision History
02/03/06 - added CVE identifier
02/07/06 - updated Credit section
02/09/06 - added Solaris build information
04/17/06 - added information on the availability of proof of concept code
Related
