Rapid7 Vulnerability & Exploit Database

Symantec Scan Engine Authentication Fundamental Design Error

Back to Search

Symantec Scan Engine Authentication Fundamental Design Error

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
04/21/2006
Created
07/25/2018
Added
04/21/2006
Modified
02/13/2015

Description

Symantec Scan Engine provides a web-based administrative interface that is used for managing scanning options and antivirus definitions. To access the interface, an administrator must browse to it, load a Java applet, and log in with a password.

However, the authentication mechanism used by Symantec Scan Engine contains a fundamental design flaw that allows any remote user to gain full administrative access to the server. The server does not verify the password entered by the user. The password is only verified by the client-side Java applet. Anyone with knowledge of the underlying communication mechanism can exercise full control of the Scan Engine server simply by posting XML requests to the server using its proprietary protocol.

Solution(s)

  • symantec-scan-engine-upgrade-5_1

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;