Corsaire Limited Security Advisory 020118-001a.txt
Symantec Enterprise Firewall versions 6.5.x and 7.0
Corsaire Limited has discovered two low-risk issues with Symantec Enterprise Firewall. The first is a potential information leak in the Symantec Enterprise Firewall Simple Mail Transfer Protocol (SMTP) proxy environment that could provide inappropriate information on the firewall configuration. The second is that inconsistencies in the SMTP protocol exchange could cause a connection to be denied.
Corsaire Limited notified Symantec Corporation of some issues in the way the Symantec Enterprise Firewall SMTP proxy worked with network address translation (NAT). These issues could cause some undesirable results.
Symantec Enterprise Firewall uses application proxies to provide enhanced security. Uses of this feature include restricting the sender/recipient domains and hiding internal infrastructure information from external users. Corsaire Limited discovered that when Symantec Enterprise Firewall is configured to provide NAT to an SMTP connection, the function to hide the internal server address by mapping it to an external public address is not performed in a completely desirable manner.
The Symantec Enterprise Firewall SMTP proxy should analyze the SMTP format and dynamically change the IP address as well as edit the required IP header. Corsaire Limited's research demonstrated that when the inbound or outbound SMTP connection was translated to an address other than the address assigned to the physical firewall interface, the SMTP proxy continued to use the name and address of the physical interface in the SMTP protocol exchange.
There are two low-risk issues with the way Symantec Enterprise Firewall is handling the SMTP proxy interface. First, there is a potential information leak. Information is included in the SMTP protocol exchange that could, possibly, aid a malicious intruder in analyzing the firewall configuration. Second, a receiving/transmitting host that is configured to enforce strict checks on the SMTP protocol exchange may not accept the connection due to inconsistencies in the field. This could result in the nondelivery or bouncing of mail messages.
Symantec has verified the issues discovered by Corsaire Limited and developed a fix that will be included with the near-future release of Symantec Enterprise Firewall version 8.0. Until then, use the following workarounds to address these issues:
- Configure Symantec Enterprise Firewall to use the same name for the firewall name and the firewall external interface name. This workaround results in consistent names for SMTP replies.
- If NAT is not needed, use the SMTP wizard included with Symantec Enterprise Firewall to set up rules and redirects for all inbound and outbound SMTP traffic.
Symantec takes the security of its products very seriously. Symantec appreciates the coordination of Martin O'Neal and Corsaire Limited in identifying and providing technical details of potential areas of concern so it can quickly address the issue.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact email@example.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to firstname.lastname@example.org. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from email@example.com.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and firstname.lastname@example.org are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 25-Oct-04 21:47:25