14 DAY TRIAL // Security issues have been discovered in version 5.2 of Symantec Web Gateway (SWG) Appliance management console, which could lead to unauthorized privileged access to databases and hijacking of the user session.
The SQL injection vulnerability was discovered in the hostname parameter of the clientreport.php page; and it was possible because of improper neutralization of special elements used in a SQL command.
The exploitable XSS flaw, present because of improper neutralization of input during web page generation, was revealed in the filter_date_period, variable and operator parameters of the following pages: /spywall/entSummary.php, /spywall/custom_report.php, /spywall/host_spy_report.php and /spywall/repairedclients.php.
Versions earlier than 5.2 are also affected and protection against blind SQL injection and reflected cross-site scripting consists in updating the appliance to the newly released build, namely 5.2.1.
Running versions of the appliance vulnerable to the SQL injection could allow a potential attacker access to the management console, as well as the possibility to execute unauthorized commands. Moreover, successful exploitation of the issue could lead to unauthorized database modification.
In the case of the reflected cross-site-scripting problem, Symantec says that exploitation could result in hijacking the Symantec Web Gateway user session.
The company notes that normal installation of SWG does not provide access to the management interface from the network environment. “However, an authorized but unprivileged network user or an external attacker able to successfully leverage network access could attempt to exploit these weaknesses,” the Symantec post says.
Clients are asked to make sure they’re running the latest version of the product in order to eliminate the above mentioned risks.
“To confirm customers are running the latest updates check the 'Current Software Version -> Current Version' on the Administration->Updates page. Alternatively, customers can click 'Check for Updates' on the Administration->Updates page to verify that they are running the latest software version,” reads the message.
Symantec Web Gateway is designed as a flexible solution for protecting organizations against malicious code by relying on Insight reputation based malware filtering technology from Symantec.
Some of the best practices designed to minimize the risk of unauthorized activity include limiting remote access to authorized systems only, or, if not necessary, disabling it completely.
Access to web interfaces should also be restricted to trusted networks and host-based intrusion detection systems should be set in place to check the network traffic for any suspicious activity.
Symantec credits Brandon Perry working through HP Zero Day Initiative (ZDI) for informing of the command injection and SQL injection for SWG 5.2., and Min1214 of INFOSEC Inc. for reporting the blind SQL injection and the XSS in 5.1.x.