Symantec Ghost: Local access vulnerabilities in Database

SUMMARY

Symantec engineers updated the db component to address three local access vulnerabilities discovered in the database installed with Symantec Ghost and the Central Management Console in Symantec Ghost Solutions Suite (SGSS) 1.0. Exploitation of any of these issues requires physical access to the host system. Successful exploitation by a malicious local user could result in unauthorized information disclosure, modification or destruction of stored administrative data or could possibly be leveraged by a non-privileged local user to potentially gain additional access on the local system.

Risk Impact
low (Highly configuration dependent)

Remote Access

|

No

—|—

Local Access

|

Yes

Authentication Required

|

Yes

Exploit publicly available

|

No

AFFECTED PRODUCTS

Product

|

Version

|

Build

|

Solution

—|—|—|—

Symantec Ghost

|

8.0 (EOL / EOS 11/15/2005)

|

All

|

Symantec Ghost 8.3 shipped as a part of Symantec Ghost Solutions Suite 1.1

Symantec Ghost

|

8.2 (shipped as a part of SGSS 1.0)

|

All

|

Symantec Ghost 8.3 shipped as a part of Symantec Ghost Solutions Suite 1.1

ISSUES

Details
The three local access vulnerabilities addressed in Symantec Ghost Solutions Suite 1.1 were:

• A default administrator login/password pair left during installation that could allow a malicious local user to modify or delete stored administrative tasks. To successfully exploit this issue, a malicious user would require local access to as well as authorization on the targeted system. A non-privileged malicious local user could possibly modify tasks to run arbitrary code on the local system that could potentially be leveraged to gain additional system access.
• A memory mapping permission issue occurring in shared-memory in the database installation. Shared memory sections are read/write for all users. A non-privileged local user could potentially gain unauthorized access to information stored in the database or possibly be able to successfully alter stored information.
• A buffer overflow in the login dialog of the version of dbisqlc.exe installed with the run-time edition of the database that could result in unauthorized information disclosure. The dbisqlc.exe component is not used by default in Symantec Ghost, but is installed as a part of the db package in the event a client should want to use it. In normal installations, dbisqlc is a non-privileged interactive database client which would limit anything gained by exploiting this issue. However, successful exploitation could provide a non-privileged local user access to information stored in the database that should not and would not normally be accessible.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2006-1284 to the default login issue
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2006-1285 to the memory mapping issue.
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2006-1286 to the login dialog overflow issue.
These issues are candidates for inclusion in the CVE list (<http://cve.mitre.org>), which standardizes names for security problems.

MITIGATION

Symantec Response
Symantec engineers have verified all issues and fixes have been released in Symantec Ghost Solutions Suite 1.1 for all languages.

Symantec engineers determined the problems existed in the implementation of the older SQLAnywhere version installed with earlier Symantec Ghost products. The latest release of SyBase SQLAnywhere 9.0 integrated with Symantec Ghost Solutions Suite 1.1 fully addresses these issues.

Symantec recommends customers upgrade to the latest release of Symantec Ghost Solutions Suite 1.1. Contact your appropriate support channels for upgrade information.

NOTE: In a recommended installation, the system hosting the Symantec Ghost Console component of Symantec Ghost Solutions Suite should be restricted to trusted, privileged access users only. This prevents non-privileged local users from accessing or modifying data stored on the system.

Symantec is not aware of any exploit of or adverse customer impact from these issues.

As normal best practices, Symantec strongly recommends:

• Restricting access to administration or management systems to privileged users only with additional restricted access to the physical host system(s) if possible.
• Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
• Keeping all operating systems and applications updated with the latest vendor patches.
• Following a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum to provide multiple points of detection and protection to both inbound and outbound threats.

ACKNOWLEDGEMENTS

Ollie Whitehouse, Symantec, identified these issues in Symantec Ghost Solution Suite 1.0

REVISION

Revision History
3/16/2006 - advisory updated to better identify the cause of the problems discovered and addressed in Symantec Ghost Solutions Suite 1.0 database implementation
3/23/2006 - Added assigned CVE numbers