SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Symantec Messaging Gateway Vendors:   Symantec
Symantec Messaging Gateway Multiple Flaws Let Remote Users Bypass Security Restrictions and Execute Arbitrary Code
SecurityTracker Alert ID:  1038785
SecurityTracker URL:  http://securitytracker.com/id/1038785
CVE Reference:   CVE-2017-6324, CVE-2017-6325, CVE-2017-6326   (Links to External Site)
Date:  Jun 23 2017
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.6.3-266
Description:   Several vulnerabilities were reported in Symantec Messaging Gateway. A remote user can include and execute arbitrary code on the target system. A remote user can bypass security controls on the target system. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted data to execute arbitrary code on the target system [CVE-2017-6326].

A remote user can create a specially crafted Word file email attachment that will bypass the 'disarm' settings on the target system [CVE-2017-6324].

The software does not properly validate user-supplied input. A remote user can supply a specially crafted URL to cause the target system to include and execute code located on the target system [CVE-2017-6325]. The code will run with the privileges of the target web service.

Adam Witt reported one vulnerability. Mehmet Dursun Ince reported two vulnerabilities.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote authenticated user can execute arbitrary code on the target system.

A remote user can bypass security controls on the target system.

Solution:   The vendor has issued a fix (10.6.3-266).

The vendor advisory is available at:

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170621_00

Vendor URL:  www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170621_00 (Links to External Site)
Cause:   Access control error, Input validation error, State error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC