Authentication bug breaks Symantec's scanner

Security researchers have found three bugs in Symantec's Scan Engine security software, which could be exploited by attackers to gain control of the Scan Engine server, or inappropriately gain access to files.

The most serious of them is due to a fundamental design flaw in the product's authentication mechanism, according to Rapid7, a Boston security firm that discovered the bugs.

The vulnerabilities were reported to Symantec in January, and have recently been fixed in version 5.1 of the product. "Symantec strongly recommends all customers immediately apply the latest updates for their supported product versions to protect against these types of threats," Symantec said in a statement posted Friday.

Scan Engine is Web server software used by developers to incorporate Symantec's scanning technology into their own applications. The vulnerabilities discovered by Rapid7 are not connected to Symantec's desktop security products, Symantec said.

The most serious of these newly patched problems concerns a design flaw in Symantec's authentication mechanism, allowing anyone who understands the underlying communication protocol to seize control of the Scan Engine server.

The security software uses a client-side Java applet to authenticate users, but the Scan Engine server itself never checks to make sure that users have been authenticated, meaning that intruders could gain control of the server by sending their own XML (Extensible Markup Language) requests using the server's proprietary protocol.

"It's totally a fake authentication scheme," said Chad Loder, Rapid7's engineering director. "This vulnerability, as far as we can tell, has been built into the application from day one. We were just the first people to come and look into the protocol."

Rapid7 has produced proof of concept code to show how this vulnerability could be exploited, Loder said.

Another security expert said it was unusual to see this kind of design error in commercial software. "They definitely made the wrong choice in deciding to have the applet do the authentication and not the server," said Russ Cooper, a senior information security analyst at Cybertrust Inc. "I can't think of a system where you authenticate to the client software, which in turn talks without authentication to a backend server."

Cooper said that in most cases, firewall software would prevent attackers from exploiting this flaw over the Internet.

Rapid7 has also discovered less serious flaws in the way that Scan Engine processes HTTP (Hypertext Transfer Protocol) requests as well as a flaw in its use of the SSL (Secure Sockets Layer) security protocol.

"Symantec is unaware of any adverse customer impact from these issues," Symantec said in its statement. "There are no known publicly available exploits."

Rapid7's three advisories on the bugs are available on its Web site.