Symantec Security Response Advisory - Symantec Norton AntiVirus Corporate Edition 7.x local LiveUpdate Server login information in clear

Reference
SecurityFocus BugTraq ID 4170, Symantec Norton AntiVirus LiveUpdate Plaintext Credentials Vulnerability

Details
Symantec is aware of a recent posting to the SecurityFocus BugTraq mailing list by Javier Sanchez concerning an issue that exposes the LiveUpdate username and password.

According to Mr. Sanchez, Norton Antivirus Corporate Edition stores LiveUpdate username and password information in clear text in the registry on client systems.

A user with access to one of these client systems can run regedit and search for this information in the appropriate registry key.

Symantec Response
Symantec's Norton AntiVirus Corporate Edition provides the administrator the ability to push LiveUpdate definitions out to individual clients or to configure each client with a read-only username and password access to an internal local LiveUpdate server to download local updates. While the local username and password were stored in the registry in the clear in LiveUpdate 1.5, LiveUpdate 1.6 and later versions encrypt this username and password by default.

Symantec would like to emphasis that in all instances, the username and password pair is NOT connected with authentication to access Symantec's LiveUpdate server. The username and password in question is ONLY associated with the local network internal server.

Symantec is aware of the issue addressed by Mr. Sanchez and it is not a LiveUpdate issue. Rather it is an internal server issue when passing the username and password to the client system that is affecting the password encryption causing the clear text exposure. This problem is currently being addressed and will be available for update as soon as it is fully tested.

Credit
Symantec appreciates the concern of Mr. Javier Sanchez and takes the security of our products very seriously. We would like to re-emphasize however, that this read-only username/password is for internal server access only. Additionally, if company policy is such that all updates are controlled at a centralized server and pushed out to client systems, the issue in question does not exist.

Symantec takes the security and proper functionality of its products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact secure@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product. A Symantec Product Security team member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document outlining the process we follow in addressing suspected vulnerabilities in our products. We support responsible disclosure of all vulnerability information in a timely manner to protect Symantec customers and the security of the Internet as a result of vulnerability. This document is available from the location provided below.

Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be obtained from the location provided below.

Symantec Vulnerability Response Policy

Symantec Product Vulnerability Management PGP Key

Copyright (c) 2008 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.