Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Symantec Scan Engine Multiple Vulnerabilities InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec Scan Engine Multiple Vulnerabilities

Published: 2006-04-22
Last Updated: 2006-04-22 19:29:20 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Three vulnerabilities were reported in Symantec Scan Engine. The vulnerabilities could allow a remote user to access the scan engine, download any file located under the Symantec Scan Engine installation directory and conduct man-in-the-middle attacks. Symantec Scan Engine is used in third party applications to interface with Symantec content scanning technologies.

The first vulnerability is the authentication mechanism used by Symantec Scan Engine over its web-based administrative interface. The Scan Engine does not properly authenticate web-based user logins which will then allow a remote user to bypass authentication and gain control of the Scan Engine server.

The second vulnerability allows an unauthenticated remote user to send a specially crafted HTTP request to access arbitrary files located under the Symantec Scan Engine installation directory.

The third vulnerability is the result of the Scan Engine using a static private DSA key for SSL communications. The key cannot be changed by end users and can be extracted from any installation of the product. As a result, this could allow a remote user to conduct man-in-the-middle attacks.

The vulnerabilities were reported by Rapid7 and PoC has been published to demonstrate the first vulnerability.

Symantec has released fixes to the latest product.

Symantec Advisory
http://www.rapid7.com/advisories/R7-0021.html
http://www.rapid7.com/advisories/R7-0022.html
http://www.rapid7.com/advisories/R7-0023.html
http://www.frsirt.com/english/advisories/2006/1464
Keywords:
0 comment(s)
Diary Archives