Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Symantec Sygate Management Server SQL Injection Vulnerability

Subscribe

Check Point Reference: CPAI-2006-075
Date Published:
Severity:
Last Updated:
Source: Symantec: SYM06-002
Industry Reference(s): CVE-2006-0522
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Symantec's Sygate Management Server (SMS) version 4.1, build 1417 and earlier
Vulnerability Description
A vulnerability was identified in Symantec's Sygate Management Server (SMS). A remote attacker could supply code into a URL which would allow the attacker to overwrite the password for any SMS account. Successful exploitation would allow the attacker to access any SMS console with the account's administrator privileges.
Update/Patch Available
The vendor has issued a fix.
Vulnerability Details
The application does not properly validate user-supplied input. An attacker could inject a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to overwrite the password for any SMS account with administrative rights, potentially allowing an attacker to disable all agents or propagate malware to all managed agents.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on a pre-defined worm signature.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on July 5, 2006 includes the follwoing protections: 

Malformed SSH Init Message Protection (CPAI-2006-069)
Multiple IMAP Servers Directory Traversal Protection (CPAI-2006-070)
VNC Authentication Bypass Protection (CPAI-2006-071)
COM Object Instantiation Protection (MS06-013) - CPAI-2006-072
COM Object Instantiation Memory Corruption Vulnerability (MS06-021) - CPAI-2006-073
Microsoft JScript Remote Code Execution Protection (MS06-023) - CPAI-2006-074
Symantec Sygate SQL Injection Protection (CPAI-2006-075)
Horde Help Viewer Protection (CPAI-2006-076)
Virtual War (VWar) File Inclusion Protection (CPAI-2006-077)
AWStats Remote Command Execution Protection - CPAI-2006-078
Windows Media Player PNG Protection (MS06-024) - CPAI-2006-079
ART Image Rendering Protection (MS06-022) - CPAI-2006-080
MySQL Server str_to_date DoS Protection (CPAI-2006-081)
Enhanced Protection against AWStats "migrate" Shell Command Injection (CPAI-2006-053)
Additional Logs added to the FTP patterns engine (CPAI-2006-040)

VPN-1 NGX R61

How Can I Protect My Network?
1. Update SmartDefense: Click the SmartDefense Services tab, click Download Updates and then click the Online Update button.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

Symantec Sygate Management Server SQL Injection

4. Install policy on all modules. 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Symantec Sygate Management Server SQL Injection

VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

Symantec Sygate Management Server SQL Injection

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Symantec Sygate Management Server SQL Injection

VPN-1 NG with Application Intelligence R55/54

How Can I Protect My Network?
1. Update SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
3. Enable the following pattern:

Symantec Sygate Management Server SQL Injection

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Symantec Sygate Management Server SQL Injection

VPN-1 VSX NGX

How Can I Protect My Network?

1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

Symantec Sygate Management Server SQL Injection

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Symantec Sygate Management Server SQL Injection

InterSpect NGX

How Can I Protect My Network?
1. Update SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
3. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
4. Enable the following pattern:

Symantec Sygate Management Server SQL Injection

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Symantec Sygate Management Server SQL Injection

InterSpect 2.0

How Can I Protect My Network?

1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Web > General HTTP Worm Defender.
3. Enable the following pattern:

Symantec Sygate Management Server SQL Injection

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Symantec Sygate Management Server SQL Injection