Vulnerabilities > CVE-2016-2203 - Credentials Management vulnerability in Symantec Messaging Gateway 10.6.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure. CVE-2016-2203. Webapps exploit for java platform |
file | exploits/java/webapps/39715.rb |
id | EDB-ID:39715 |
last seen | 2016-04-21 |
modified | 2016-04-21 |
platform | java |
port | 443 |
published | 2016-04-21 |
reporter | Fakhir Karim Reda |
source | https://www.exploit-db.com/download/39715/ |
title | Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure |
type | webapps |
Metasploit
description | This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed Symantec PBE key. Note that authentication is required in order to successfully grab the LDAP credentials, and you need at least a read account. Version 10.6.0-7 and earlier are affected |
id | MSF:AUXILIARY/SCANNER/HTTP/SYMANTEC_BRIGHTMAIL_LDAPCREDS |
last seen | 2020-05-26 |
modified | 2019-03-05 |
published | 2016-04-20 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb |
title | Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability |
Nessus
NASL family | CGI abuses |
NASL id | SYMANTEC_MESSAGING_GATEWAY_SYM16-005.NASL |
description | According to its self-reported version number, the Symantec Messaging Gateway (SMG) running on the remote host is 10.x prior to 10.6.1. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in the SMG management console due to AD password information being insecurely stored and encrypted. A local attacker who has read-level access can exploit this, by reverse engineering the encrypted AD password, to gain unauthorized, elevated access to additional resources on the network. Note that recovery of this password would not provide any additional access to the SMG appliance itself. (CVE-2016-2203) - A privilege escalation vulnerability exists due to an unspecified flaw in the SMG management console. A local attacker can exploit this, by manipulating code input to the terminal window, to gain access to the privileged root shell of the console. (CVE-2016-2204) Note that Nessus has not tested for these issues but has instead relied only on the application |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 90919 |
published | 2016-05-05 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/90919 |
title | Symantec Messaging Gateway 10.x < 10.6.1 Management Console Multiple Vulnerabilities (SYM16-005) |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/136758/symantecbrightmail-ldapgrabber.txt |
id | PACKETSTORM:136758 |
last seen | 2016-12-05 |
published | 2016-04-21 |
reporter | Fakhir Karim Reda |
source | https://packetstormsecurity.com/files/136758/Symantec-Brightmail-10.6.0-7-LDAP-Credential-Grabber.html |
title | Symantec Brightmail 10.6.0-7 LDAP Credential Grabber |
References
- http://packetstormsecurity.com/files/136758/Symantec-Brightmail-10.6.0-7-LDAP-Credential-Grabber.html
- http://packetstormsecurity.com/files/136758/Symantec-Brightmail-10.6.0-7-LDAP-Credential-Grabber.html
- http://www.securityfocus.com/bid/86137
- http://www.securityfocus.com/bid/86137
- http://www.securitytracker.com/id/1035609
- http://www.securitytracker.com/id/1035609
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00
- https://www.exploit-db.com/exploits/39715/
- https://www.exploit-db.com/exploits/39715/