Early last week Symantec issued a security update for their Symantec Messaging Gateway (SMG) appliance versions 10.6 and 10.7. This update addresses two elevation of privilege vulnerabilities (defined) that were responsibly disclosed (defined) to Symantec. The first issue discussed below was disclosed to Symantec by karim reda Fakhir. The second issues was disclosed by Martin Carpenter with Citco.
Why Should These Issues Be Considered Important?
The first issue when exploited by an attacker could result in them obtaining the encrypted Active Directory (defined) password stored on the SMG appliance. Once they have obtained possession of the password they would need to reverse engineer (defined) it to reveal the actual password. As Symantec notes, the password would not provide the attacker with any further access to the SMG appliance than they would already have but it can potentially provide an attacker with elevated privileged to other devices on the same internal network as the SMG.
The second issue involves tampering with the code that is input/sent to the terminal window with the goal of escaping the current permissions of the logged in user to elevate those permissions to that of the root (defined) user. With these permissions an attacker can carry out any instructions/actions of their choice. As Symantec notes this includes code execution (carrying out actions of an attacker’s choice) or access to the management console of the SMG.
One mitigating factor for the second issue is that the management interface of the SMG is not usually accessible outside of the local network (namely not accessible to the wider/outside internet). This means that an attacker would first need to have already gained access to your corporate network using another means. Moreover; at this time Symantec is not aware of these issues being exploited.
How Can I Protect Myself From These Issues?
To address both of the above issues Symantec have issued a security advisory. This advisory details that the appropriate security update for SMG version 10.6 is available using the software update facility of the SMG.
This advisory provides further best practice advice to minimize the impact of these issues before you apply the necessary updates as well as hardening your SMG against other potential security issues.
If you make use of the affected Symantec corporate messaging gateways within your organization, please install the relevant updates as soon as possible.