Symantec Scan Engine insecure private DSA key

sse-insecure-private-key (25973)

Low Risk

Description:

Symantec Scan Engine uses a known private DSA key for SSL communications that cannot be changed by the user. A remote attacker could exploit this vulnerability to decrypt sensitive communications between the Scan Engine server and an administrative user that can be obtained using man-in-the-middle techniques.

Platforms Affected:

• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 ES
• RedHat, Linux 9.0
• Sun, Solaris 10 SPARC
• Sun, Solaris 8 SPARC
• Sun, Solaris 9 SPARC
• SuSE, SuSE SLES 9
• Symantec, Scan Engine 5.0.0.24

Remedy:

Upgrade to the latest version of Symantec Scan Engine (5.1 or later), as listed in Symantec Security Advisory SYM06-008. See References.

Consequences:

Obtain Information

References:

• Rapid7, LLC Security Advisory R7-0022, Symantec Scan Engine Known Immutable DSA Private Key at http://www.rapid7.com/advisories/R7-0022.html.
• Symantec Security Advisory SYM06-008 , Symantec Scan Engine Multiple Vulnerabilities at http://www.symantec.com/avcenter/security/Content/2006.04.21.html.
• BID-17637: Symantec AntiVirus Scan Engine Multiple Remote Vulnerabilities
• CVE-2006-0231: Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications.
• FrSIRT/ADV-2006-1464: Symantec Scan Engine Authentication Bypass and Information Disclosure Issues
• SA19734: Symantec Scan Engine Multiple Vulnerabilities
• SECTRACK ID: 1015974: Symantec Scan Engine Lets Remote Users Access the System and Download Files

Reported:

Apr 21, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page