Symantec Firewall/VPN Appliance Cached Password Vulnerability

Symantec is aware of a potential administrator password leakage vulnerability reported on securityfocus.com. This vulnerability could affect the security of the web interface configuration password for Symantec Firewall/VPN Appliance deployments and could potentially reveal the password to unauthorized users if the administrator changes the password from an insecure system (i.e., public system, or shared laptop/PC).

Symantec Firewall/VPN 100 (all firmware versions)
Symantec Firewall/VPN 200 (all firmware versions)
Symantec Firewall/VPN 200R (all firmware versions)

Details
A copy of the Administration Authentication Password screen may be saved to the browser cache (depending upon browser settings), for example, in the Temporary Internet Files of a Windows PC when using Internet Explorer. The browser cache may be held in other folders depending upon OS and Web Browser used. The password configured by the administrator, although hidden on the interface screen, will show up in clear text within the cached HTML code.

Note: This vulnerability DOES NOT apply to users entering the Administrator Authentication Password to access the web interface. It only applies to administrators changing the Authentication Password from an insecure system (for example a public system, or a laptop/PC that is shared by different users).

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2004-0190 to this issue.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Symantec Response
Symantec has created a fix that is available from the Symantec Enterprise Support Site.

Symantec recommends that one of the following files containing corrected firmware be downloaded and installed in all Symantec Firewall/VPN appliances. These firmware files contain a correction, which ensures that the password data is stripped from the HTML string.

The new firmware release is available on the support site as the following download files:

• For the Symantec Firewall/VPN 100:
  vpn100_161_all.zip
  vpn100_161_app.zip
   
• For the Symantec Firewall/VPN 200:
  vpn200_161_all.zip
  vpn200_161_app.zip
   
• For the Symantec Firewall/VPN 200R:
  vpn200r_161_all.zip
  vpn200r_161_app.zip

Symantec strongly recommends that the above corrective action be taken as soon as possible. However, customers should use the following recommended work-around for the vulnerability until they are able to download and install the new firmware release.

When changing (or first setting) the Web Interface Configuration Password for the Symantec Firewall/VPN Appliances, administrators should:

• Manage the unit from a trusted host OR
   
• If managing from an untrusted host, clear the web browser cache AFTER changing the Administration Password (after pressing the Save button) OR
   
• If clearing the browser cache is not possible on an untrusted host, Symantec strongly recommends NOT using the system to change the Administration Authentication Password.

Symantec takes the security and proper functionality of its products very seriously. As founding members in the Organization for Internet Safety, Symantec follows the process of responsible disclosure. Please contact symsecurity@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product.

Terms of use for this information are found in Legal Notices.