Symantec pcAnywhere Multiple Security Updates

SUMMARY

Symantec pcAnywhere is susceptible to local file tampering elevation of privilege attempts and remote code execution attempts. It is possible to run arbitrary code on a targeted system in the context of the application which is normally System. Symantec pcAnywhere is also susceptible to access violation and input instability issues that could potentially prevent fully closing a remote client connection or result in a server or client denial of service.

AFFECTED PRODUCTS

Product

|

Version

|

Build

|

Solution

—|—|—|—

Symantec pcAnywhere

|

12.5.x

|

All

|

Upgrade to the latest release of pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7. For instructions, see the following article:

http://www.symantec.com/docs/DOC5442

Or, if your are currently unable to upgrade, apply the TECH182142 hot fix. For instructions, see the following article:

http://www.symantec.com/docs/TECH182142

Symantec pcAnywhere

|

12.0.x, 12.1.x

|

All

Symantec pcAnywhere Solution shipped with Altiris IT Management Suite 7.x

|

12.5.x, 12.6.x

|

All

Symantec pcAnywhere Solution shipped with Altiris Client Management Suite 7.x

|

12.5.x, 12.6.x

|

All

Remote pcAnywhere Solution shipped with Altiris Deployment Solution 7.1

|

12.5.x, 12.6.x

|

All

Symantec pcAnywhere

|

10.x , 11.x

|

All

|

No longer supported: See Note below

Note: Any user running a version of pcAnywhere earlier than 12.x is strongly advised to upgrade to the latest release, pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7

Upgrade instructions and build number identification are included in DOC5442,http://www.symantec.com/docs/DOC5442

• The hot fixes identified in TECH182142 have been back ported to support Symantec pcAnywhere 12.0.x and 12.1.x for customers currently unable to upgrade to Symantec pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7
• Symantec strongly recommends that customers upgrade at the first opportunity to the latest release of pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7
• If you are using an earlier version of Symantec pcAnywhere 12.5, SP1 or SP2, and have already applied the hot fixes, you WILL need to reapply the hot fixes in TECH182142 after upgrading to Symantec pcAnywhere 12.5 SP3

ADDITIONAL PRODUCT INFORMATION

Product(s) Not Affected

Product

|

Version

|

Build

—|—|—

Altiris IT Management Suite

|

7.x

|

All

Altiris Client Management Suite

|

7.x

|

All

Altiris Deployment Solution

|

7.x

|

All

Note: Symantec’s Altiris products are NOT impacted by this issue. Only the pcAnywhere solutions deployed and implemented as part of the product suite are impacted.

ISSUES

Remote Code Execution

High

CVSS2 Base Score: 8.33

Impact 10.0, Exploitability 6.5

CVSS2 Vector: (AV:A/AC:L/Au:N/C:C/I:C/A:C)

Exploit Publicly Available : Highly Likely

Local Access File Tampering

Medium

CVSS2 Base Score: 6.8

Impact 10.0, Exploitability 3.1

CVSS2 Vector: (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Exploits Publicly Available: No

Access Violation Open Client Session

High

CVSS2 Base Score: 7.5

Impact 8.5, Exploitability 6.8

CVSS2 Vector: (AV:N/AC:M/Au:S/C:C/I:P/A:P)

Exploits Publicly Available: No

Malformed or unexpected Input Denial of Service

Medium

CVSS2 Base Score: 6.8

Impact 6.9, Exploitability 8

CVSS2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:C)

Exploits Publicly Available: No

BID 51592 for the remote code executions
BID 51593 for the local access file tampering
BID 51862 for the access violation open client session
BID 51965 for the Denial of Service

CVE-2011-3478 for the remote code executions
CVE-2011-3479 for the local access files tampering
CVE-2012-0290 for the access violation open client session
CVE-2012-0291 for the Denial of Service

MITIGATION

Details

Symantec was informed of remote code execution and local file tampering elevation of privilege issues impacting Symantec pcAnywhere. The remote code execution is the result of not properly validating/filtering external data input during login and authentication with Symantec pcAnywhere host services on 5631/TCP. Under normal installation and configuration in a network environment, access to this port should only be available to authorized network users. Successful exploitation would require either gaining unauthorized network access or enticing an authorized network user to run malicious code against a targeted system. Results could be a crash of the application or possibly successful arbitrary code execution in the context of the application on the targeted system.

Additionally, some files uploaded to the system during product installation are installed as writable by everyone and susceptible to file tampering. An authorized but unprivileged user with local access to a targeted host could potentially overwrite these files with code of their choice in an attempt to leverage elevated privileges.

During code reviews, Symantec engineers identified additional areas of weakness that are being addressed in updates to the original hotfix. During a valid client server session unexpected input to the client can result in an exception error. This can generate an access violation resulting in the remote session being dropped but leaving the client session open in specific instances. This could potentially enable an unauthorized connection to the client session.

Malformed input to a client or server or, an unexpected response to a request could potentially destabilize the application causing it to hang or crash resulting in a denial of service. A manual restart of the Symantec pcAnywhere service would be required.

Symantec Response
Symantec engineers verified these issues on the supported versions identified above. Product updates are available to address these issues. Symantec engineers continue to review all functionality to further enhance the overall security of Symantec pcAnywhere. Updates will be identified in revisions to this advisory as required.

If customers do not require the use of remote access capabilities, Symantec pcAnywhere should not be enabled. If Symantec pcAnywhere is installed but not required, it can be uninstalled from the system.

If Symantec pcAnywhere is in use on a network or system, customers should be following best practices regarding physical security, endpoint security, network perimeter security, and secure remote access (see recommended best practices below) as they should with any remote access program.

• Specific to Symantec pcAnywhere or any remote access application, corporate firewalls should not allow inbound or outbound access to pcAnywhere without using VPN tunnels.
• Companies or individual users should employ best practices when it comes to the configuration of Symantec pcAnywhere or any remote access application e.g.,
  • password strength,
  • password retry limits,
  • always configuring the application to require the user to approve all remote connections.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit it in the wild.

If you are not currently able to move to the latest Symantec release; pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7, at least ensure you are running the most current hot fixes for your pcAnywhere application available from the following location:

For Enterprise, Small & Mid-Sized Business (SMB) - Download the appropriate update from TECH 180472http://symantec.com/business/docs/TECH182142.

• TECH182142 provides the most current updated hot fix to include all available patches
• If you have already applied the previous hot fix from TECH179960, you will still need to apply this TECH182142 hot fix to receive the latest updates.
• If you have NOT applied the previous hot fix from TECH179960, then you just need to apply the latest TECH182142 hot fix

LiveUpdate Option for Home and Home Office users of Symantec pcAnywhere 12.5.x:

• Symantec pcAnywhere 12.5.x users who run automatic LiveUpdate will automatically receive updates to Symantec pcAnywhere 12.5 SP3 and all available hot fixes
• Users running Symantec pcAnywhere supported versions prior to 12.5.x (12.0.x or 12.1.x) will NOT receive these upgrades or hot fixes through LiveUpdate. Symantec strongly recommends following guidance in TECH182142 for upgrading to pcAnywhere 12.5 SP3 and then apply all available updates

Symantec pcAnywhere 12.5.x users should run a manual LiveUpdate as follows to ensure they have the latest updates available:

• Open the Symantec pcAnywhere 12.5.x application
• Click Help > LiveUpdate
• Run LiveUpdate until all available product updates are downloaded and installed
• A system reboot may be required for the update to take affect

Once all updates have been applied, review update and build information found in TECH182142 to ensure you have updated your Symantec pcAnywhere application to the latest available build.

Mitigations
Symantec Security Response has released IPS signature 25253, “Attack: Symantec pcAnywhere Elevation of Privilege CVE-2011-3478” that detects and blocks attempts to exploit issues of this nature. Signatures are available through normal Symantec updates.

Best Practices

Symantec recommends the following best practices when using remote access applications:

• Corporate firewalls should not allow inbound or outbound access without using VPN tunnels
• When configuring a remote access application, establish policies around password strength, password retry limits
• Always configure the application to require the user to approve all remote connections

As part of normal best practices, Symantec strongly recommends:

• Restrict access to administration or management systems to privileged users
• Restrict remote access, if required, to trusted/authorized systems only
• Run under the principle of least privilege where possible to limit the impact of exploit by threats
• Keep all operating systems and applications updated with the latest vendor patches
• Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

ACKNOWLEDGEMENTS

Symantec would like to thank the following individuals for reporting these issues and coordinating with us while Symantec resolved them.

Tal zeltzer working through TippingPoint's Zero Day Initiative and Edward Torkington at NGS Secure for identifying the remote code execution issues.

Edward Torkington at NGS Secure for identifying the world-writable files local access privilege escalation.

REFERENCES

Security Focus, http://www.securityfocus.com, has assigned the following Bugtraq IDs (BIDs)

These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

REVISION

1/27/2012 - Added hot fix information for Symantec pcAnywhere versions 12.0.x and 12.1.x if customers are unable to follow the upgrade recommendations to 12.5 SP3. Link to Technical White Paper “Symantec pcAnywhere Security Recommendations”
Updates to “Affected Products” and “Products Not Affected”

2/3/2012 - Update URL to new hotfix doc TECH179960 with additional information on the latest hotfix roll-up and updating to the latest supported product version release. Clarification for pcAnywhere versions prior to 12.x. While older versions of pcAnywhere are affected. They are no longer supported. Users are strongly advised to upgrade to the latest release.
Added information on additional potential vulnerabilities found during on-going code review that could cause instability in the pcAnywhere client or server.

2/10/2012 - Update URL to new hot fix doc TECH182142 with additional information on the latest hot fix roll-up and updating to the latest supported product version release.

3/1/2012 - Symantec released an new Symantec pcAnywhere security advisory, SYM12-003, which includes a roll-up hotfix of all previous updates for pcAnywhere. All references have been updated in this advisory to point to the new TECH182142.

4/9/2012 - Symantec released the latest version of pcAnywhere: pcAnywhere 12.5 SP4 and pcAnywhere Solution 12.6.7 which included many performance enhancements, all of the previous released security updates and enhancements to the security model of pcAnywhere. Symantec recommends all pcAnywhere users move to the latest release of their respective product.