February 2006

ID: 00106
Ref: 105/2006
Date: 06 February 2006:11:36:19
Version: 1

---

Title: Symantec Sygate Management Server: SYM06-002 - SMS Authentication Servlet SQL Injection
Abstract: A SQL injection vulnerability in Symantec's Sygate Management Server (SMS) version 4.1, build 1417 and earlier could potentially allow a remote or local attacker to gain administrative privileges to the SMS server.
Vendors affected: Symantec
Operating systems affected: Symantec
Applications affected: Symantec

---

Title
=====

Symantec Sygate Management Server: SYM06-002 - SMS Authentication Servlet
SQL Injection

Detail
======

A SQL injection vulnerability in Symantec's Sygate Management Server
(SMS) version 4.1, build 1417 and earlier could potentially allow a
remote or local attacker to gain administrative privileges to the SMS
server.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================



[Win]
Symantec Sygate Management Server: SMS Authentication Servlet SQL Injection
6 February 2006

===========================================================================



Product: Sygate Management Server 4.1 and prior
Publisher: Symantec
Operating System: Windows
Impact: Administrator Compromise
Access: Remote/Unauthenticated
CVE Names: CVE-2006-0522

Original Bulletin:
http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html

- - --------------------------BEGIN INCLUDED TEXT--------------------

SYM06-002
February 1, 2006
Symantec Sygate Management Server: SMS Authentication Servlet SQL Injection

Revision History
None

Risk Impact
High

Remote Access Yes
Local Access Yes
Authentication Required No
Exploit publicly available No

Overview

A SQL injection vulnerability in Symantec's Sygate Management Server
(SMS) version 4.1, build 1417 and earlier could potentially allow a
remote or local attacker to gain administrative privileges to the SMS
server.

Affected Product(s)

Product Version Build Solution
SMS (English version) 3.5 MR 3 build 894 or earlier ftp://SMS35b895@207.33.111.31 See Note
SMS (English version) 4.0 MR 1 build 1104 and earlier ftp://SMS40B1105@207.33.111.31 See Note
SMS (English version) 4.1 MR 2 build 1417 and earlier ftp://SSE41MR2@207.33.111.31 See Note
SMS 4.1 (Chinese Version) 4.1 MR1 build 1351 and earlier ftp://SMS1352c@207.33.111.31 See Note
SMS 4.1 GA (Japanese Version) 4.1 GA build 1258 and earlier See Note

Note: Please contact Technical Support to obtain the password needed to
download these updates.

The Japanese version of SMS is distributed through Macnica Inc. Please
contact your Macnica Support representative to obtain this update.

Details
Symantec was notified of a vulnerability in Symantec's Sygate Management
Server. An attacker with network or local access to the SMS Server could
inject code into a URL which would potentially allow the attacker to
overwrite the password for any SMS account, including the SMS administrator
account. If successful, the attacker could then use that new password
to access the SMS console with full administrator privileges. This would
allow the attacker to disable all agents, or to propagate an exploit
script to all managed agents.

Symantec Response
Symantec engineers have verified that this vulnerability exists in the
product versions listed above, and have provided updates to resolve the
issue.

Upgrade Information
Fixed builds for this issue can be downloaded from the locations listed
in the table above. Select your supported version of Symantec SMS and
use the login credentials that were provided by Enterprise Support to
download the appropriate update. If you need additional assistance,
please contact Enterprise Support.

Note: Supported products will be updated to address this vulnerability.
If you are using a product version or maintenance release earlier than
those listed in the table above, you will need to upgrade to the most
currently supported version of your product.

Mitigation
To help reduce the risks associated with this vulnerability until you
are able to apply the patches or updates, Symantec recommends the
following:

Restrict access to the SMS console by using its internal network ACL.
Then, specify the IP addresses of valid administrators so they will have
access to the console.

Restrict access to the vulnerable SMS applet by using IIS' ACL

Details on these mitigation steps are located in the same ftp location
as the product builds.

As a part of normal best practices, users should keep vendor-supplied
patches for all application software and operating systems up-to-date.
Symantec strongly recommends customers immediately apply the updates for
their products to protect against possible attacks.

Symantec is not aware of any customers impacted by this vulnerability,
or of any attempts to exploit it.

CVE
A CVE candidate number will be requested from The Common Vulnerabilities
and Exposures (CVE) initiative. This advisory will be revised as required
once the CVE candidate number has been assigned. This issue is a candidate
for inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

Credit
Symantec would like to thank Guillaume Goutaudier at Exaprobe, SAS,
France for reporting this issue, and working with us on the resolution.

Symantec takes the security and proper functionality of its products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability guidelines
outlined by the National Infrastructure Advisory Council (NIAC). Please
contact secure@symantec.com if you feel you have discovered a potential
or actual security issue with a Symantec product. A Symantec Product
Security team member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document
outlining the process we follow in addressing suspected vulnerabilities
in our products. We support responsible disclosure of all vulnerability
information in a timely manner to protect Symantec customers and the
security of the Internet as a result of vulnerability. This document is
available from the location provided below.

Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@symantec.com. The Symantec Product
Security PGP key can be obtained from the location provided below.

Symantec Vulnerability Response Policy
http://securityresponse.symantec.com/security/Symantec-Product-Vulnerability-Response.pdf

Symantec Product Vulnerability Management PGP Key
http://securityresponse.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long
as it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this alert in any medium other
than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity
are registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective companies/owners.


- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQ+bE1ih9+71yA2DNAQKCVQP+JLuMjpbat0Lvztba9jUmWUExc5PgYj/K
tsx5/O41yPzhSpyZMHGIZ667LES6j1hYFJrT9fBQnJIXggdg6YnbajCLPGaAst4X
fqtszbFHKlDigKgYq+JuGp8AChk6XP73+w7duMmkLfMZPNxJU02lKeT9znMewjp6
DkPmSi9CsIg=
=F43P
- -----END PGP SIGNATURE-----