Check Point Advisories

Symantec Scan Engine Authentication Bypass (CVE-2006-0230)

Check Point Reference: CPAI-2006-187
Date Published: 23 Mar 2010
Severity: High
Last Updated: Tuesday 23 March, 2010
Source:
Industry Reference:CVE-2006-0230
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description Symantec Scan Engine provides virus protection services targeted at network traffic as well as data storage devices. It also provides an API in order to enable it to be integrated with third-party software and hardware devices. This product is configurable through a web interface exposed on port TCP/8004 by default which is accessible through a web browser. Sensitive operations are performed over HTTPS on a separate port TCP/8005. There exists an authentication bypass vulnerability in the Symantec Scan Engine product. The vulnerability is due to a design flaw that lets a remote client alter the administrative password without supplying proper credentials. An unauthenticated remote attacker may leverage this vulnerability to gain administrative access to the vulnerable product, effectively bypassing the authentication mechanism. Leveraging this vulnerability allows an unauthenticated attacker to send operation commands to the Scan Engine server to be executed with the privileges of the server administrator. The behavior of the server depends on the intention of the attacker and the commands that are sent. An example of the most likely operation being performed is the change of password command which results in the administrative password being changed to a value specified by the attacker. This allows further compromise of the server through using a normal client browser. Additionally, such an attack would prevent legitimate logon attempts, as the administrative password would have changed.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Symantec Scan Engine Authentication Bypass protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Security Products Enforcement Violation.
Attack Information:  Symantec Scan Engine authentication bypass

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK