MVSA-09-001


CVE:
CVE-2009-0064
Vendor:
Symantec
Products:
Brightmail Security Gateway

Vulnerabilities:
Escalation of Privileges

Risk:
High
Attack Vector:
From Remote
Authentication:
Required
References:
Symantec Security Response: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
 
Description
 
Symantec Brightmail Gateway Appliance is vulnerable to various Privilege Escalation attacks. When exploited by an authenticated user,  the identified vulnerabilities allows an underprivileged user to access protected user and system information, use resources requiring administrative privileges for altering appliances settings, and to gain complete administrative privileges.

By manipulating the value of userID parameter of edit.do resource, an attacker could enumerate all the valid accounts configured for the appliance:

         url_placeholder/administrator/edit.do?userID=x

where x is any value between 1 and the maximum number of user accounts n. This allows harvesting user information, such as user name IDs and e-mail addresses.

A vulnerability in the code used to create new user accounts could allow an authenticated underprivileged attacker (with minimum privileges) to create new valid accounts with full administrative privileges. This could be effectively used by an attacker to take control of the appliance

An authenticated underprivileged attacker could access the resources used to initially configure the security appliances, thus compromising the appliance’s network and monitoring settings:

        url_placeholder/setup/SiteSetupAppliance$exec.flo?flowId=0


Affected Versions

Symantec Brightmail Gateway Appliance 8300 - All versions prior to 8.0.1

Symantec Mail Security Appliance 8200/8300 - All versions  


Mitigation

 

Vendor recommends upgrading to Symantec Brightmail Gateway version 8.0.1 or later.
Alternatively, please contact Symantec for technical support. 

Disclosure Timeline

25 January 2009: Vulnerabilities discovered and documented
28 January 2009: Vendor notified
02 February 2009: Vendor confirmed receiving the original reports
08 February 2009: Vendor confirmed the identified vulnerabilities
23 April 2009: Vendor released patches for reported vulnerabilities
23 February 2010: Current advisory published


 
MVSA-09-001
Dr. Marian Ventuneac

Comments