Symantec Corp. yesterday issued what it ranked as medium level patches for a number of its products that could allow the remote exposure of sensitive information.
Danish security vulnerability aggregator Secunia said, "The problem is caused due to an error in the SMTP
Cupertino, Calif.-based Symantec labeled the flaw "SMTP binding configuration bypassed" and said the risk impact is "highly configuration dependent."
The security vendor said the flaw affects:
- Symantec Firewall/VPN Appliance 200/200R firmware builds prior to 1.68 and later than 1.5Z;
- Symantec Gateway Security 360/360R firmware builds prior to 858;
- Symantec Gateway Security 460/460R firmware builds prior to build 858;
- and Nexland Pro800turbo firmware builds prior to build 1.6X and later than 1.5Z.
"Symantec was notified of this potential vulnerability in a Symantec Gateway Security 360 appliance configured to load-balance two ISPs with SMTP binding set for a single WAN," said the Symantec advisory. "The SMTP binding configuration was not being implemented as selected causing SMTP traffic to be load-balanced through both WAN1 and WAN2. This could result in
Symantec recommends that those using SMTP binding in load-balanced configurations apply the appropriate firmware for their affected product models/versions to correct the flaw.