Environment
GWAVA (Secure Messaging Gateway) 7
Situation
A parameter tampering vulnerability has been identified in the Quarantine Management System (QMS) component of Secure Messaging Gateway (SMG) revision 658 and below. A remoter attacker who has obtained a QMS digest whitelist or blacklist link from a valid system user can manipulate the parameters to insert arbitrary entries into the whitelist or blacklist including wildcard ranges. Successful exploitation could lead to a complete bypass of the SMG security checks (whitelist wildcard) or denial of service (blacklist wildcard).
Exploiting this vulnerability requires access to a valid digest message and that the digest white or black listing buttons are enabled. This limits the availability of the vulnerability to internal users of an SMG system that receive digests, or attackers that can gain access to a users mailbox containing a digest.
*** Testing for Vulnerability Exposure ***
Please note that black lists are not automatically created, and white lists are only created automatically if policies were created with the wizard. Some of the following information will not apply if either of these lists have not been configured.
The white and black lists can be managed from the system administration console or the quarantine management system depending on how your system is configured. Use the method appropriate for your configuration.
-- Option 1: Checking via Quarantine Management System --
As an administrator, login to the SMG Quarantine Management System console and navigate to the Options tab and select the list to be checked. This process needs be repeated for all defined organizational units.
Review the sender/recipient list to confirm that the address pairs are acceptable, paying attention to search for wildcard addresses such as '*'. Remove any address pairs that should not be listed.
Repeat the process for both the white and black lists.
-- Option 2: Checking via System Administrator Console --
As an administrator, login to the SMG System Administration Management console and navigate to your scanner policy workbench. This process needs be repeated for all defined organizational units.
To check the black list, locate the black list node in the filter tab on the components panel and open it by clicking the icon button.
To check the white list, locate the white list node in the exceptions tab on the components panel and open it by clicking the icon button.
If you have more than one black or white list node, locate the node that contains the suffix "(QMS link)" in its title. If none of your nodes are linked to the quarantine system, no further action is required.
Please note that black lists are not automatically created, and white lists are only created automatically if policies were created with the wizard. Some of the following information will not apply if either of these lists have not been configured.
The white and black lists can be managed from the system administration console or the quarantine management system depending on how your system is configured. Use the method appropriate for your configuration.
-- Option 1: Checking via Quarantine Management System --
As an administrator, login to the SMG Quarantine Management System console and navigate to the Options tab and select the list to be checked. This process needs be repeated for all defined organizational units.
Review the sender/recipient list to confirm that the address pairs are acceptable, paying attention to search for wildcard addresses such as '*'. Remove any address pairs that should not be listed.
Repeat the process for both the white and black lists.
-- Option 2: Checking via System Administrator Console --
As an administrator, login to the SMG System Administration Management console and navigate to your scanner policy workbench. This process needs be repeated for all defined organizational units.
To check the black list, locate the black list node in the filter tab on the components panel and open it by clicking the icon button.
To check the white list, locate the white list node in the exceptions tab on the components panel and open it by clicking the icon button.
If you have more than one black or white list node, locate the node that contains the suffix "(QMS link)" in its title. If none of your nodes are linked to the quarantine system, no further action is required.
Resolution
Run the online update function to update to the latest version of Secure Messaging Gateway. Please note that the fix for this issue will expire the white and black list links for digests generated prior to the update. Users affected by the update can manually add addresses within the QMS.
Additional Information
Secure Messaging Gateway revision 658 and below
CVE-2019-11645: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11645