Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Symantec Enterprise Firewall Secure Webserver info leak
From: "Sym Security" <symsecurity () symantec com>
Date: Tue, 15 Oct 2002 09:30:31 -0500

AI-SEC Security Advisories <advisories () ai-sec dk>

10/14/2002 02:10 PM
Please respond to advisories

Advanced IT-Security Advisory #02-10-2002


Symantec Enterprise Firewall Secure Webserver info leak

There exists a problem in Simple, secure webserver 1.1 which is shipped
with Raptor Firewall 6.5 (among others), in which an attacker can connect
to the proxyserver from the outside, and issue a CONNECT to IP-addresses on
the inside interface, and thereby determine if there are hosts present or
not by inspecting the errormessage. This problem lets an attacker map out
the entire topology of a client from the outside.

Symantec has addressed this issue as a collateral problem in an earlier
security update for the Symantec Enterprise Firewall. The Symantec
Enterprise Firewall is not vulnerable to this concern ifpatched fully


October 13, 2002
Symantec Enterprise Firewall Secure Webserver info leak


Advanced IT-Security, a Scandinavian security consultancy, notified
Symantec of a potential information leak issue they discovered in the
manner in which the web proxy component in the Symantec Enterprise Firewall
returned error messages.  A remote user connecting to the proxy server can
actually perform limited reconnaissance activity against the internal
network behind the firewall even though access is restricted by the
firewall.  By analyzing the unauthorized access error messages returned,
the remote user can determine whether the address requested is a valid
address or not.  In this manner, a limited mapping of the internal network
is possible.

Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)

Symantec Response
Symantec verified this issue reported by Advanced IT-Security as an issue
that Symantec addressed as a collateral problem in an earlier security
update for the Symantec Enterprise Firewall.  The Symantec Enterprise
Firewall is not vulnerable to this concern if patched fully up-to-date.
All patches are available for download through the Symantec Enterprise
Support site http://www.symantec.com/techsupp.

As a best practice, Symantec recommends keeping all operating systems and
applications updated with the latest vendor patches. Keeping
mission-critical systems updated with all security patches applied reduces
risk exposure.

Symantec takes the security and proper functionality of our products very
seriously.  Symantec appreciates the assistance of Tommy Mikalsen from
Advanced IT-Security in identifying this area of concern so we could
quickly address it. Anyone with information on security issues with
Symantec products should contact symsecurity () symantec com  The Sym Security
PGP key can be downloaded  from

This advisory is available at

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this alert in medium other than
electronically requires permission from symsecurity () symantec com 
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity
are registered trademarks of Symantec Corp. and/or affiliated companies in
the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective companies/owners.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]