Our favorite holes are always those that come from the same security vendors that are supposed to be protecting us from holes in software. Today’s entry into the Product Hall of Shame is Symantec’s Scan Engine. Seems they forgot to build in authentication:

The security software uses a client-side Java applet to authenticate users, but the Scan Engine server itself never checks to make sure that users have been authenticated, meaning that intruders could gain control of the server by sending their own XML (Extensible Markup Language) requests using the server’s proprietary protocol.

“It’s totally a fake authentication scheme,” said Chad Loder, Rapid7’s engineering director. “This vulnerability, as far as we can tell, has been built into the application from day one. We were just the first people to come and look into the protocol.”

This is pitiful. Our first clue should have been from their own marketing:

Easily integrates with third-party software and hardware via version 1.0 of the ICRAP protocol or the native API.

Okay, that was a cheap shot. But still, they forgot to build in authetication!

Network World: Bad Authentication Breaks Symantec Scanner

Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability

Post a Comment...