Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Symantec Web Gateway (SWG) Multiple Vulnerabilities #1

Critical

Synopsis

CVE-2012-0297: The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data. (Tenable reported RCE issues in /spywall/ipchange.php and network.php, although additional issues may exist.)

CVE-2012-0297: The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to (1) read or (2) delete arbitrary files via unspecified vectors. (The issue occurs in the download() function of the /spywall/download_file.php script.)

CVE-2012-0296: Multiple cross-site scripting (XSS) vulnerabilities in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. (Tenable reported the 'l' parameter of the timer.php script as a reflected XSS, although there may be additional scripts affected.)

CVE-2012-0299: The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to upload arbitrary code to a designated pathname, and possibly execute this code, via unspecified vectors. (This flaw exists because the program does not properly verify or sanitize user-uploaded files via the upload_file() function in spywall/includes/util_functions.php. By uploading a crafted file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the user to execute commands. Note that util_functions.php is called by admin_messages.php, blocked_file.php, blocked_url.php, previewBlocked.php, and previewInfected.php. Only admin_messages.php requires authentication.)

Solution

Upgrade to 5.0.3 or later, as it has been reported to fix the issues.

Disclosure Timeline

2012-05-17 - Issue disclosed

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2012-03
Credit:
Tenable Network Security
CVSSv2 Base / Temporal Score:
10.0 / 8.3
CVSSv2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Nessus Plugin ID: 59208
59209
59210
Affected Products:
Symantec Web Gateway 5.0.2
Risk Factor:
Critical

Advisory Timeline

2015-10-05 - Initial release