Symantec Messaging Gateway 10.x < 10.6.1-4 Multiple Vulnerabilities (SYM16-010)

Critical Nessus Plugin ID 91896

Synopsis

A messaging security application running on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the Symantec Messaging Gateway (SMG) running on the remote host is 10.x prior to 10.6.1-4. It is, therefore, affected by multiple vulnerabilities :

- An array indexing error exists in the UnRAR component in the Unpack::ShortLZ() function in unpack15.cpp that is triggered when decompressing RAR files. An unauthenticated, remote attacker can exploit this, via a specially crafted RAR file, to corrupt memory, resulting in the execution of arbitrary code. (CVE-2016-2207)

- An overflow condition exists when handling PowerPoint documents due to improper validation of user-supplied input when handling a misaligned stream-cache. An unauthenticated, remote attacker can exploit this, via a specially crafted PPT file, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-2209)

- An overflow condition exists in the CSymLHA::get_header() function in Dec2LHA.dll that is triggered when decompressing LZH and LHA archives. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code.
(CVE-2016-2210)

- Multiple flaws exist in the libmspack library due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via a specially crafted file, to crash processes linked against the library or execute arbitrary code.
(CVE-2016-2211)

- An overflow condition exists in the CMIMEParser::UpdateHeader() function due to improper validation of user-supplied input when parsing MIME messages. An unauthenticated, remote attacker can exploit this, via a specially crafted MIME message, to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-3644)

- An array indexing error exists in the scan engine decomposer in the LPkOldFormatDecompressor::UnShrink() function that is triggered when decoding ZIP archives.
An unauthenticated, remote attacker can exploit this, via a specially crafted ZIP file, to cause a denial of service condition or the execution of arbitrary code.
(CVE-2016-3645)

- An integer overflow condition exists in the Attachment::setDataFromAttachment() function in Dec2TNEF.dll that is triggered when decoding TNEF files.
An unauthenticated, remote attacker can exploit this, via a specially crafted TNEF file, to cause a denial of service condition or the execution of arbitrary code.
(CVE-2016-3646)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Symantec Messaging Gateway version 10.6.1-4 or later.

See Also

http://www.nessus.org/u?76c14f65

http://www.nessus.org/u?a965f2f9

Plugin Details

Severity: Critical

ID: 91896

File Name: symantec_messaging_gateway_sym16-010.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 2016/06/30

Updated: 2018/11/15

Dependencies: 62009

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:symantec:messaging_gateway

Exploit Available: false

Exploit Ease: No exploit is required

Patch Publication Date: 2016/06/28

Vulnerability Publication Date: 2016/06/28

Exploitable With

Core Impact

Reference Information

CVE: CVE-2016-2207, CVE-2016-2209, CVE-2016-2210, CVE-2016-2211, CVE-2016-3644, CVE-2016-3645, CVE-2016-3646

BID: 91431, 91434, 91435, 91436, 91437, 91438, 91439