Symantec just fixed three flaws (CVE-2017-6326, CVE-2017-6324, CVE-2017-6325) in the Symantec Messaging Gateway (SMG). The vulnerabilities were of the remote code execution, privilege escalation and file inclusion types. A security advisory addressing the vulnerabilities has been issued.
The flaws were disclosed by researchers Adam Witt and Mehmet Dursun Ince.
More about CVE-2017-6326
This bug is quite severe, and even though no specific details are available yet, Symantec informs that the vulnerability could be leveraged in remote code execution attacks in the MSG console.
More about CVE-2017-6324
This flaw is also a serious one and could lead to privilege escalation. It could be exploited when SMG processes a malicious email attachment, and later on this could allow malformed or corrupted Microsoft Word files to sneak in. If the files contain embedded malicious macros, they can dodge the disarm functionality of SMG.
More about CVE-2017-6325
This vulnerability is less dangerous, as it is file inclusion one, most likely to affect web applications on a scripting run time, Symantec explains. “This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time,” the company adds.
This file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application.
Fortunately, the AV company released a patch for the SMG, version 10.6.3 with patch 10.6.3-266. Needless to say, users are highly advised apply the patches as soon as possible to avoid becoming victims of exploits.
Another recommendation regarding security is that users restrict access via the least privilege principle. This is when access to apps and systems is only given when user really needs them to limit the potential damage of an attack.
Last year, Symantec fixed a bunch of severe bugs in their security products, as well as the terrifying CVE-2016-2208, located in the core Symantec Antivirus Engine applied in most Symantec and Norton AV products.