Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
2 Mar 2004 Closed Medium 7.5 SYM04-004
Summary
Symantec is aware of a potential administrator password leakage vulnerability reported on securityfocus.com. This vulnerability could affect the security of the web interface configuration password for Symantec Firewall/VPN Appliance deployments and could potentially reveal the password to unauthorized users if the administrator changes the password from an insecure system (i.e., public system, or shared laptop/PC).
Details
A copy of the Administration Authentication Password screen may be saved to the browser cache (depending upon browser settings), for example, in the Temporary Internet Files of a Windows PC when using Internet Explorer. The browser cache may be held in other folders depending upon OS and Web Browser used. The password configured by the administrator, although hidden on the interface screen, will show up in clear text within the cached HTML code.
Note: This vulnerability DOES NOT apply to users entering the Administrator Authentication Password to access the web interface. It only applies to administrators changing the Authentication Password from an insecure system (for example a public system, or a laptop/PC that is shared by different users).
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2004-0190 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec recommends that one of the following files containing corrected firmware be downloaded and installed in all Symantec Firewall/VPN appliances. These firmware files contain a correction, which ensures that the password data is stripped from the HTML string.
The new firmware release is available on the support site as the following download files:
For the Symantec Firewall/VPN 100:
vpn100_161_all.zip
vpn100_161_app.zip
For the Symantec Firewall/VPN 200:
vpn200_161_all.zip
vpn200_161_app.zip
For the Symantec Firewall/VPN 200R:
vpn200r_161_all.zip
vpn200r_161_app.zip
Symantec strongly recommends that the above corrective action be taken as soon as possible. However, customers should use the following recommended work-around for the vulnerability until they are able to download and install the new firmware release.
When changing (or first setting) the Web Interface Configuration Password for the Symantec Firewall/VPN Appliances, administrators should:
Manage the unit from a trusted host OR
If managing from an untrusted host, clear the web browser cache AFTER changing the Administration Password (after pressing the Save button) OR
If clearing the browser cache is not possible on an untrusted host, Symantec strongly recommends NOT using the system to change the Administration Authentication Password.
Acknowledgements
Symantec takes the security and proper functionality of its products very seriously. As founding members in the Organization for Internet Safety, Symantec follows the process of responsible disclosure. Please contact symsecurity@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product.
Legacy ID
SYM04-004
Terms of use for this information are found in Legal Notices.
Translated Content
This is machine translated content
Login to Subscribe
Please login to set up your
subscription.
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.