SEC Consult said Symantec Web Gateway users are vulnerable to surveillance by state-sponsored or criminal hackers, who could take full control of the appliance meant to protect against web-borne malware.
SEC Consult identified several vulnerabilities in the components of the Symantec Web Gateway in the course of a short “crash test” and worked with Symantec to resolve these issues.
The firm said several of the vulnerabilities could be used together to run arbitrary commands with the privileges of the "root" user on the appliance.
Researchers found attackers could get unauthorised access to the appliance and plant backdoor or access configuration files containing credentials for other systems such as Active Directory that can be used in further attacks.
Since all web traffic passes through the appliance, interception of sensitive information such as passwords and session cookies is possible, the researchers said.
Read more about security flaws
- Researchers warn of “huge” Android security flaw
- Mobile security model flawed, says Mobile Helix
- Millions of mobiles vulnerable to Sim security flaw
- Dutch government publishes security flaw disclosure guide
- Patched IE8 flaw used for targeted attacks, says Microsoft
- Attackers exploit Ruby on Rails flaw, despite warnings and patch
- Application security risks posed by open source Java frameworks
If this private key is compromised by an attacker, arbitrary certificates can be signed, enabling various attacks.
SEC Consult recommends users switch off the product until a comprehensive security audit, based on a security source code review, has been performed and all identified security deficiencies have been resolved by Symantec.
The types of attacks the discovered vulnerabilities enable, include:
- Reflected cross site scripting that allows effective session hijacking attacks of administrator session cookies;
- Persistent cross site scripting that allows an unauthenticated user to inject script code into the administration interface;
- Operating system command injection that allows authenticated users to execute arbitrary commands on the underlying operating system that could be used to get persistent access to the affected system;
- Security misconfiguration that allows unprivileged operating system users to can gain root privileges;
- SQL injection that allows an authenticated administrator to issue manipulated SQL commands;
- Cross site request forgery that allows attackers to assume the role of administrator.
The vulnerabilities have been verified to exist in the Symantec Web Gateway version 184.108.40.206 and Symantec has confirmed that version 5.1.0, all sub-releases and all prior releases are affected.
There is no workaround available and users of affected versions of the product are advised to update to Symantec Web Gateway version 5.1.1.
Symantec said version 5.1.1 is available to customers through normal support locations to address these issues.
Symantec recommends that customers:
- Restrict access to administration or management systems to privileged users;
- Disable remote access if not required or restrict it to trusted/authorised systems only;
- Where possible, limit exposure of application and web interfaces to trusted/internal networks only;
- Keep all operating systems and applications updated with the latest supplier patches;
- Follow a multilayered approach to security. Run both firewall and antimalware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats;
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity.
The company said Symantec Web Gateway software and any applications installed on the Symantec Web Gateway can be updated only with authorised and tested versions distributed by Symantec.