Symantec updated its Messaging Gateway email security product to fix multiple vulnerabilities.
The most serious of the security holes, tracked as CVE-2017-6327 and classified as high severity, is a remote code execution flaw discovered by Philip Pettersson.
“The Symantec Messaging Gateway can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process,” Symantec said in its advisory. “In this type of occurrence, after gaining access to the system, the attacker may attempt to elevate their privileges.”
The second flaw, rated low severity and identified as CVE-2017-6328, is a cross site request forgery (CSRF) hole identified by Dhiraj Mishra. The security bug allows an attacker to execute commands via a trusted user by getting the victim to access a specially crafted website.
The vulnerabilities affect Symantec Messaging Gateway versions prior to 10.6.3-267, which addresses the issues said users should halt access to administrative and management systems, and run applications with the lowest level of privilege needed.
None of these vulnerabilities have undergone exploitation, Symantec said.
US-CERT released an alert to encourage organizations to review Symantec’s advisory and install the necessary updates.