SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Firewall)  >   Symantec Firewall/VPN Appliance Vendors:   Symantec
(Vendor Issues Fix) Symantec Firewall/VPN Appliance Displays Password When Edited
SecurityTracker Alert ID:  1009289
SecurityTracker URL:  http://securitytracker.com/id/1009289
CVE Reference:   CAN-2004-0190   (Links to External Site)
Updated:  Mar 4 2004
Original Entry Date:  Mar 2 2004
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 100, 200, 200R
Description:   A vulnerability was reported in the Symantec Firewall/VPN Appliance. A user may be able to obtain the administrator's password.

Davide Del Vecchio reported that when an administrator edits the password via the password administration page, the password is displayed in clear text. Because of this, the password will reportedly be cached by the administrator's web browser.

A local user on the administrator's computer may be able to access the password. A physically local user may be able to view the password when edited by an authenticated administrator. In addition, the report indicates that a remote user may be able to send malicious HTML to the target administrator to invoke the cached password.

[Editor's note: The remote administration is via non-secure HTTP, as indicated in the report, which creates a separate vulnerability. However, we have not issued an Alert regarding the use of non-secure HTTP, as an HTTP administration feature would create no expectations of secure password transmission.]
Impact:   A local user on the administrator's computer may be able to access the password.

A physically local user may be able to view the password when edited by an authenticated administrator.
Solution:   The vendor has issued a fix, available on the Symantec Enterprise Support Site at:

http://www.symantec.com/techsupp

The new firmware release is available as the following download files:

For the Symantec Firewall/VPN 100:
vpn100_161_all.zip
vpn100_161_app.zip

For the Symantec Firewall/VPN 200:
vpn200_161_all.zip
vpn200_161_app.zip

For the Symantec Firewall/VPN 200R:
vpn200r_161_all.zip
vpn200r_161_app.zip
Vendor URL:  enterprisesecurity.symantec.com/products/products.cfm?ProductID=63&EID=0 (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Feb 16 2004 Symantec Firewall/VPN Appliance Displays Password When Edited


 Source Message Contents
Date:  Tue, 02 Mar 2004 11:08:39 -0500
Subject:  Symantec Firewall/VPN Appliance Cached Password Vulnerability


Symantec Firewall/VPN Appliance
Cached Password Vulnerability

Date Discovered
Feb. 16,2004

Risk
Medium (depends upon deployment)

Affected Versions:
Symantec Firewall/VPN 100 (all firmware versions)
Symantec Firewall/VPN 200 (all firmware versions)
Symantec Firewall/VPN 200R (all firmware versions)


Overview
Symantec is aware of a potential administrator password leakage vulnerability reported in 
<http://securitytracker.com/alerts/2004/Feb/1009069.html>. This vulnerability could affect 
the security of the web interface configuration password for Symantec Firewall/VPN 
Appliance deployments and can potentially reveal the password to unauthorized users, if 
the administrator changes the password from an insecure system (i.e., kiosk, or shared 
laptop).  Symantec has created a fix which is available on the Symantec Enterprise Support 
Site: <http://www.symantec.com/techsupp>.

Recommendation
Symantec recommends that one of the following files containing corrected firmware be 
downloaded and installed in all Symantec Firewall/VPN appliances. These firmware files 
contain a correction which ensures that the password data has been removed from the HTML 
string and replaced with x’s.

The new firmware release is available on the support site as the following download files:

·	For the Symantec Firewall/VPN 100:
vpn100_161_all.zip
vpn100_161_app.zip

·	For the Symantec Firewall/VPN 200:
vpn200_161_all.zip
vpn200_161_app.zip

·	For the Symantec Firewall/VPN 200R:
vpn200r_161_all.zip
vpn200r_161_app.zip

Symantec strongly recommends that the above corrective action be taken as soon as 
possible. However, the following recommended work-around for the vulnerability should be 
used by customers until they are able to download and install the new firmware release.

When changing (or first setting) the Web Interface Configuration Password for the Symantec 
Firewall/VPN Appliances, administrators should be:
·	Managing the unit from a trusted host OR
·	If managing from an untrusted host, should clear the web browser cache AFTER changing 
the Administration Password (after pressing the Save button) OR
·	If clearing the browser cache is not possible on an untrusted host, it is recommended 
not to change the Administration Authentication Password.

Technical Description
A copy of the Administration Authentication Password screen may be saved to the browser 
cache (depending upon browser settings).  The page is called password.html and may appear, 
for example, in the Temporary Internet Files of a Windows PC when using Internet Explorer. 
  The browser cache may be held in other folders depending upon OS and Web Browser used. 
The password that was configured by the administrator, although hidden on the interface 
screen itself with asterisks, will show up in clear text within the cached HTML code. 
This cached HTML code can be viewed by a text viewer to reveal the changed password. 
Example truncated section of the HTML code in a cached page revealing the changed 
configuration password (in bold):

…width=132 align=right bgcolor=ffffee>Password</td><td><input type=password NAME=0 
maxlength=10 VALUE="mypass"> &nbsp;&nbsp;Verify <input type=password NAME=1 maxlength=10 
VALUE="mypass"></td></tr></table>…

Note that this vulnerability DOES NOT apply to users entering the Administrator 
Authentication Password to access the web interface.  It only applies to administrators 
changing the Authentication Password from an insecure desktop (for example a kiosk, or a 
laptop that is shared by different users).


Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as it is not 
edited in any way unless authorized by Symantec Security Response. Reprinting the whole or 
part of this Alert in medium other than electronically requires permission from 
symsecurity@symantec.com.

Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based 
on currently available information. Use of the information constitutes acceptance for use 
in an AS IS condition. There are no warranties with regard to this information. Neither 
the author nor the publisher accepts any liability for any direct, indirect or 
consequential loss or damage arising from use of, or reliance on this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are Registered 
Trademarks of Symantec Corp. and/or affiliated companies in the United States and other 
countries. All other registered and unregistered trademarks represented in this document 
are the sole property of their respective companies/owners.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC