Symantec Network Protection products using affected versions of ImageMagick are susceptible to the ImageTragick security vulnerability. A remote attacker can send crafted images and execute arbitrary code on the target.
The following products are vulnerable:
Security Analytics 7.1 and 7.2 are vulnerable. Only intercepted network traffic is affected. Security Analytics 7.3 is not vulnerable.
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
Mail Threat Defense
Norman Shark Industrial Control System Protection
ProxyAV ConLog and ConLogXP
The following products are under investigation:
IntelligenceCenter Data Collector
This Security Advisory addresses the ImageTragick remote code execution vulnerability in ImageMagick announced in May 2016. Symantec Network Protection products that include a vulnerable version of ImageMagick and make use of the affected functionality are vulnerable.
CVE-2016-3714 is an insufficient input validation flaw in multiple ImageMagick coders. A remote attacker can send crafted images with injected OS shell commands and execute arbitrary code on the target system with the privileges of the ImageMagick application.
Symantec's ProxySG 6.6 and 6.7 web application firewall (WAF) solution can protect network servers against some ImageTragick attack vectors. The WAF Command Injection engine, when configured to scan HTTP requests, can block HTTP POST requests containing crafted images with injected OS commands.
Security Analytics 7.3 - a fix is available in 7.3.1.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.
2017-07-05 initial public release