Symantec Encryption Management Server Database Backup Command Line Injection and Email Header Inject

SUMMARY

Symantec Encryption Management Server is susceptible to a shell command line injection when an authorized, but less privileged administrator, is submitting a request for a database backup. This could potentially result in the malicious administrator gaining privileged access on the server.

Symantec Encryption Management Server is susceptible to an email header injection utilizing a specifically formatted PGP key submitted to the integrated key management server. The injection could potentially allow a malicious individual to manipulate specific areas of the confirmation email, for example, modifying the contents of some of the email fields such as the subject field.

AFFECTED PRODUCTS

Product

|

Version

|

Build

|

Solution(s)

—|—|—|—

Symantec Encryption Management Server / Symantec PGP Universal Server

|

3.3.2 MP6 and prior

|

All

|

Upgrade to Symantec Encryption Management Server 3.3.2 MP7

ISSUES

CVSS2

Base Score

|

Impact

|

Exploitability

|

CVSS2 Vector

—|—|—|—

Symantec Encryption Management Server Database Backup Command Line Injection - Medium

6.8

|

10

|

3.1

|

AV:L/AC:L/Au:S/C:C/I:C/A:C

Symantec Encryption Management Server Email Header Injection - Medium

5.8

|

4.9

|

8.6

|

AV:N/AC:M/AU:N/C:N/I:P/A:P

CVE

|

BID

|

Description

—|—|—

CVE-2014-7287

|

BID 72307

|

Symantec Encryption Management Server Email Header Injection

CVE-2014-7288

|

BID 72308

|

Symantec Encryption Management Server Database Backup Command Line Injection

MITIGATION

Details

Symantec was notified of a command line injection issue which can be exploited when an authorized but lesser privileged administrator is requesting to restore a database backup. The server fails to properly filter user-supplied command line input, which could potentially result in a malicious, less-privileged, administrator being able to gain elevated access to the server.

Symantec is also aware of an issue with the Symantec Encryption Management Server key management component. Symantec Encryption Management Server is susceptible to an email header injection arising when a specifically formatted PGP key is submitted to the integrated key management server.In accordance with RFC 4880, section 5.11, the UID value of a PGP key can contain arbitrary UTF-8 data. This allows an authorized or invited external user to submit a PGP public key to the key server which can be specifically created to include arbitrary data in the name field of the key. Symantec Encryption Management Server does not properly filter imported keys for unacceptable content as they are uploaded to the key server. The receipt email generated during the import process can be manipulated through email injection as a result of the modified content included in the submitted key. While the likely results of such an upload would be a segmentation fault violation, successful exploitation could potentially allow a malicious individual to manipulate specific areas of the receipt email, for example, modifying the content of some of the email fields such as the subject. The Symantec Encryption Management Server should restrict any unauthorized content other than what is specifically required.

Symantec Response
Symantec engineers have verified these issues and have resolved them in Symantec Encryption Management Server 3.3.2 MP7. Customers should upgrade to this release to avoid potential incidents of this nature.

Symantec is not aware of exploitation of or adverse customer impact from these issues.

Update Information

Symantec Encryption Management Server 3.3.2 MP7 is available from Symantec File Connect.

Best Practices
As part of normal best practices, Symantec strongly recommends that customers:

• Restrict access of administration or management systems to privileged users.
• Restrict remote access, if required, to trusted/authorized systems only.
• Run under the principle of least privilege where possible to limit the impact of exploit by threats.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

ACKNOWLEDGEMENTS

Symantec would like to thank Klaus Eisentraut working through SySS GmbH, for reporting CVE-2014-7287 and working with us as we addressed the issue.

Symantec would like to thank Paul Craig, withVantagePoint for reporting CVE-2014-7288 and working with us as we addressed the issue

REFERENCES

BID: Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID) to this issue for inclusion in the Security Focus vulnerability database.

CVE: The issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.