Detections
Analytics
Symantec Messaging Gateway 10.x < 10.6.1-4 Multiple Vulnerabilities (SYM16-010)
high Nessus Plugin ID 91896
Language:
Synopsis
A messaging security application running on the remote host is affected by multiple vulnerabilities.Description
According to its self-reported version number, the Symantec Messaging Gateway (SMG) running on the remote host is 10.x prior to 10.6.1-4. It is, therefore, affected by multiple vulnerabilities :- An array indexing error exists in the UnRAR component in the Unpack::ShortLZ() function in unpack15.cpp that is triggered when decompressing RAR files. An unauthenticated, remote attacker can exploit this, via a specially crafted RAR file, to corrupt memory, resulting in the execution of arbitrary code. (CVE-2016-2207)
- An overflow condition exists when handling PowerPoint documents due to improper validation of user-supplied input when handling a misaligned stream-cache. An unauthenticated, remote attacker can exploit this, via a specially crafted PPT file, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-2209)
- An overflow condition exists in the CSymLHA::get_header() function in Dec2LHA.dll that is triggered when decompressing LZH and LHA archives. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code.
(CVE-2016-2210)
- Multiple flaws exist in the libmspack library due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via a specially crafted file, to crash processes linked against the library or execute arbitrary code.
(CVE-2016-2211)
- An overflow condition exists in the CMIMEParser::UpdateHeader() function due to improper validation of user-supplied input when parsing MIME messages. An unauthenticated, remote attacker can exploit this, via a specially crafted MIME message, to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-3644)
- An array indexing error exists in the scan engine decomposer in the LPkOldFormatDecompressor::UnShrink() function that is triggered when decoding ZIP archives.
An unauthenticated, remote attacker can exploit this, via a specially crafted ZIP file, to cause a denial of service condition or the execution of arbitrary code.
(CVE-2016-3645)
- An integer overflow condition exists in the Attachment::setDataFromAttachment() function in Dec2TNEF.dll that is triggered when decoding TNEF files.
An unauthenticated, remote attacker can exploit this, via a specially crafted TNEF file, to cause a denial of service condition or the execution of arbitrary code.
(CVE-2016-3646)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Symantec Messaging Gateway version 10.6.1-4 or later.See Also
Plugin Details
Severity: High
ID: 91896
File Name: symantec_messaging_gateway_sym16-010.nasl
Version: 1.14
Type: remote
Family: CGI abuses
Published: 6/30/2016
Updated: 11/19/2019
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.0
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 8.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2016-3646
CVSS v3
Risk Factor: High
Base Score: 8.4
Temporal Score: 8
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:symantec:messaging_gateway
Required KB Items: www/sym_msg_gateway
Exploit Available: true
Exploit Ease: No exploit is required
Patch Publication Date: 6/28/2016
Vulnerability Publication Date: 6/28/2016
Exploitable With
Core Impact
Reference Information
CVE: CVE-2016-2207, CVE-2016-2209, CVE-2016-2210, CVE-2016-2211, CVE-2016-3644, CVE-2016-3645, CVE-2016-3646