Symantec Warns of Serious Hole in Sygate SMS Product

Symantec said Feb. 1 that a high-risk hole could allow a remote attacker to take over vulnerable Sygate Management Servers.


The company issued a patch for the Sygate application vulnerability.

If left unpatched, remote attackers could use SQL (Structure Query Language) code to overwrite passwords for accounts on the server, possibly gaining administrative access to the server, Symantec said.

Symantec acquired the SMS (Sygate Management Server) technology with Sygate Technologies in October 2005.

SMS is one component of the Sygate Secure Enterprise platform and is used to distribute security policies and software updates to security agent software that runs on computer "endpoints" such as servers, desktop and laptop computers.

Malicious hackers can modify URLs (Uniform Resource Locators) used to pass data to the Web application and inject their own SQL code, which is then run by the backend database.
An attacker would need network or local access to the SMS server to launch an attack.
The vulnerability is an example of a SQL injection hole: a common kind of Web application.


If successful, the attacker could change the password of the SMS administrator account, gain password to the Management Server and disable Sygate agents or use the server to distribute malicious code to the machines running the Sygate agents, Symantec said.

The hole affects SMS Versions 3.5, 4.0 and 4.1, according to an alert published by Symantec.
In a separate warning, Secunia Inc. of Copenhagen, Denmark, rated the hole "moderately critical."

Symantec recommended companies update their Sygate SMS servers as soon as possible. In the meantime, organizations should use access control lists to block Web-based access to the SMS server application and restrict network access to the SMS console to network administrators, Symantec said.

From , and more here:
http://www.eweek.com/article2/0,1895,1918167,00.asp