Check Point Advisories

Update Protection against Symantec Sygate Management Server SQL Injection Vulnerability

Check Point Reference: CPAI-2006-075
Date Published: 5 Jul 2006
Severity: Medium
Last Updated: Tuesday 15 May, 2007
Source: Symantec: SYM06-002
Industry Reference:CVE-2006-0522
Protection Provided by:
Who is Vulnerable? Symantec's Sygate Management Server (SMS) version 4.1, build 1417 and earlier
Vulnerability Description A vulnerability was identified in Symantec's Sygate Management Server (SMS). A remote attacker could supply code into a URL which would allow the attacker to overwrite the password for any SMS account. Successful exploitation would allow the attacker to access any SMS console with the account's administrator privileges.
Update/Patch AvaliableThe vendor has issued a fix.
Vulnerability DetailsThe application does not properly validate user-supplied input. An attacker could inject a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to overwrite the password for any SMS account with administrative rights, potentially allowing an attacker to disable all agents or propagate malware to all managed agents.

Protection Overview

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.