SA149: CSRF Vulnerability in CA and MTD

SUMMARY

The Symantec Content Analysis (CA) and Mail Threat Defense (MTD) management consoles are susceptible to a cross-site request forging (CSRF) vulnerability. A remote attacker can use phishing or other social engineering techniques to access the management console with the privileges of an authenticated administrator user.

AFFECTED PRODUCTS

Content Analysis (CA)

CVE | Affected Version(s) | Remediation All CVEs | 2.2 and later | Not vulnerable, full fix available in 2.2.1.1.
2.1 | Partial fix available in 2.1.1.1.
1.3 | Partial fix avaialble in 1.3.7.3.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation All CVEs | 1.1 | Upgrade to CA 2.2 (or later) and SMG 10.6.3 (or later)

ADDITIONAL PRODUCT INFORMATION

Only the CA management console is affected. The CA management console web browser client application in CA 1.3.7.3 and 2.1.1.1 opt-ins to use CSRF protection. The full fix in CA 2.2 requires CSRF protection for all CA management console clients.

MTD has been obsoleted by CA and the Symantec Messaging Gateway (SMG). Symantec recommends that MTD customers transition to CA 2.2 (or above) and SMG 10.6.3 (or above) to get the latest functionality and vulnerability fixes.

ISSUES

CVE-2016-9092

Severity / CVSSv2 | High / 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C) References| NVD: CVE-2016-9092 Impact| Cross-site request forgery (CSRF) Description | A remote, unauthenticated attacker can target an authenticated administrator user with phishing or other social engineering techniques, and trick them into clicking on a malicious link or visiting a malicious site. This allows the attacker to access the management console with the privileges of the authenticated user.

ACKNOWLEDGEMENTS

Thanks to Peter Paccione, Chris Hebert, and Corey Boyd for reporting this vulnerability.

REVISION

2018-05-17 initial public release