Symantec Web Gateway flaw enables hacker surveillance

Security flaws in Symantec’s Web Gateway appliance expose users to surveillance of all internet activities, says SEC Consult

Security flaws in Symantec’s Web Gateway appliance are exposing users to surveillance of all internet activities, according to information security consultancy SEC Consult.

SEC Consult said Symantec Web Gateway users are vulnerable to surveillance by state-sponsored or criminal hackers, who could take full control of the appliance meant to protect against web-borne malware.

SEC Consult identified several vulnerabilities in the components of the Symantec Web Gateway in the course of a short “crash test” and worked with Symantec to resolve these issues.

The firm said several of the vulnerabilities could be used together to run arbitrary commands with the privileges of the "root" user on the appliance.

Researchers found attackers could get unauthorised access to the appliance and plant backdoor or access configuration files containing credentials for other systems such as Active Directory that can be used in further attacks.

Since all web traffic passes through the appliance, interception of sensitive information such as passwords and session cookies is possible, the researchers said.

If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company.

If this private key is compromised by an attacker, arbitrary certificates can be signed, enabling various attacks.

SEC Consult recommends users switch off the product until a comprehensive security audit, based on a security source code review, has been performed and all identified security deficiencies have been resolved by Symantec.

Attack types

The types of attacks the discovered vulnerabilities enable, include:

  • Reflected cross site scripting that allows effective session hijacking attacks of administrator session cookies;
  • Persistent cross site scripting that allows an unauthenticated user to inject script code into the administration interface;
  • Operating system command injection that allows authenticated users to execute arbitrary commands on the underlying operating system that could be used to get persistent access to the affected system;
  • Security misconfiguration that allows unprivileged operating system users to can gain root privileges;
  • SQL injection that allows an authenticated administrator to issue manipulated SQL commands;
  • Cross site request forgery that allows attackers to assume the role of administrator.

The vulnerabilities have been verified to exist in the Symantec Web Gateway version and Symantec has confirmed that version 5.1.0, all sub-releases and all prior releases are affected.

There is no workaround available and users of affected versions of the product are advised to update to Symantec Web Gateway version 5.1.1.

Symantec said version 5.1.1 is available to customers through normal support locations to address these issues.

Symantec recommendations

Symantec recommends that customers:

  • Restrict access to administration or management systems to privileged users;
  • Disable remote access if not required or restrict it to trusted/authorised systems only;
  • Where possible, limit exposure of application and web interfaces to trusted/internal networks only;
  • Keep all operating systems and applications updated with the latest supplier patches;
  • Follow a multilayered approach to security. Run both firewall and antimalware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats;
  • Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity.

The company said Symantec Web Gateway software and any applications installed on the Symantec Web Gateway can be updated only with authorised and tested versions distributed by Symantec.

Read more on Application security and coding requirements