How to remediate – Symantec Message Filter Management Interface Default Credentials

Contents

1. Introduction

Symantec Message Filter Management Interface Default Credentials refers to the use of factory-set usernames and passwords on Brightmail Control Center, the web interface for managing Symantec Message Filter. This is a high severity issue because it allows attackers remote administrative access to email security systems. Successful exploitation could lead to complete control over filtering rules, data inspection, and system settings, impacting confidentiality, integrity, and availability of email services.

2. Technical Explanation

The vulnerability exists due to the use of default credentials for logging into Brightmail Control Center (BCC). An attacker can gain access without needing valid user accounts. There is no CVE currently associated with this specific issue, but it falls under CWE-798: Use of Hardcoded Credentials. A typical attack involves an attacker attempting to log in using the known default username and password combination.

Root cause: The application ships with pre-defined administrator credentials that are not forced to be changed during initial setup.
Exploit mechanism: An attacker attempts to access the BCC web interface, providing the default credentials. If successful, they gain full administrative control of the Symantec Message Filter. For example, an attacker could use a standard web browser and enter the default username ‘admin’ and password ‘password’.
Scope: This affects installations of Symantec Message Filter where the default administrator credentials have not been changed. Specific versions are not publicly documented as being more vulnerable than others; all deployments should be considered at risk until patched.

3. Detection and Assessment

You can confirm vulnerability by attempting to log in with default credentials, or checking configuration files for unchanged defaults. Scanning tools may identify this if configured with appropriate plugins.

Quick checks: Attempt to access the BCC web interface using the username ‘admin’ and password ‘password’.
Scanning: Nessus plugin ID 16897 can detect default credentials, but results should be manually verified. OpenVAS also has relevant scans.
Logs and evidence: Check application logs for successful logins from unexpected sources or IP addresses using the ‘admin’ account. Log locations vary by installation, but are typically found in /opt/symantec/msgfilter/log/.

curl -u admin:password http://[target_ip]/brightmail/controlcenter

4. Solution / Remediation Steps

The primary solution is to change the default administrator password immediately. This should be done as part of a standard hardening process.

4.1 Preparation

Services: No services need to be stopped for this change, but access to the web interface is required.

4.2 Implementation

Step 1: Log in to Brightmail Control Center using the default credentials (admin/password).
Step 2: Navigate to System > Administrators.
Step 3: Select the ‘admin’ account and click ‘Edit’.
Step 4: Enter a strong, unique password for the administrator account.
Step 5: Confirm the new password and save the changes.

4.3 Config or Code Example

Before

Username: admin
Password: password

After

Username: admin
Password: [Strong, unique password]

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue. Strong passwords are essential, as is the principle of least privilege.

Practice 1: Enforce strong password policies across all systems and applications.
Practice 2: Implement the principle of least privilege by limiting administrator access to only those who require it.

4.5 Automation (Optional)

Automation is not directly applicable for changing this specific setting without custom scripting, which may introduce risk.

5. Verification / Validation

Post-fix check: Attempt to access the BCC web interface using the username ‘admin’ and password ‘password’. The login attempt should be rejected.
Re-test: Repeat the quick check from section 3; it should no longer succeed with default credentials.
Smoke test: Verify that a valid administrator account can still log in to BCC and access core functionality, such as viewing email logs or modifying filtering rules.
Monitoring: Monitor application logs for failed login attempts using the ‘admin’ account.

curl -u admin:password http://[target_ip]/brightmail/controlcenter - should return a 401 Unauthorized error

6. Preventive Measures and Monitoring

Regular security baselines, patch management, and secure configuration checks can help prevent this issue. For example, CIS benchmarks include recommendations for password policies.

Baselines: Update your security baseline to include a requirement for changing default credentials on all new systems.
Pipelines: Include static code analysis (SAST) in your CI/CD pipeline to identify hardcoded credentials in configuration files or scripts.

7. Risks, Side Effects, and Roll Back

Changing the password incorrectly could lock out administrators. Always test changes in a non-production environment first. A roll back involves restoring from backup.

Risk or side effect 1: Incorrectly entering the new password can result in account lockout.
Roll back: Restore the Symantec Message Filter configuration from the pre-change backup.

8. References and Resources

Vendor advisory or bulletin: Broadcom KB90562 – Brightmail Control Center Default Credentials
NVD or CVE entry: No specific CVE exists for this issue, but related CWEs can be found on the NVD website (CWE-798).
Product or platform documentation relevant to the fix: Brightmail Gateway Administrator Guide – Configuring Administrators

Updated on December 27, 2025

Was this article helpful?

Yes No