Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
23 Jan 2018 Closed High CVSS v2: 8.3 SA158
Symantec Reporter does not restrict excessive authentication attempts for management interface users. A remote attacker can use brute force search to guess a user password and gain access to Reporter.
10.2 and later
Not vulnerable, fixed in 10.2.1.1
Upgrade to 10.1.5.5.
Upgrade to 184.108.40.206.
Additional Product Information
Symantec Reporter provides reporting capabilities for the Symantec ProxySG appliance, Secure Web Gateway (SWG) solution, and the Web Security Services (WSS). Reporter provides authentication and role-based access control for:
administrator users: can manage Reporter's configuration and access all reporting information stored on it.
standard users: only can access reporting information determined by the user roles and the reporting fields that the roles are authorized to access.
This vulnerability can be exploited only through the Reporter management interface. Symantec recommends that customers deploy Reporter in a secure network and restrict access to the management interface. Not deploying the appliance in a secure network or restricting management interface access increases the threat of exploiting the vulnerability.
Reporter does not restrict excessive authentication attempts for administrator and standard users, making it susceptible to a brute force password guessing attack. A remote attacker, with access to the management interface, can use brute force search to guess a user password and gain access to Reporter and the reporting information that the user is authorized to access. Reporter logs all successful and unsuccessful authentication attempts in the system event log.
Symantec recommends that customers deploy Reporter in a secure network and restrict access to the management interface.
Symantec would like to thank Dhiraj Mishra (@mishradhiraj_) for reporting this vulnerability.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-01-23 initial public release
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.