Low (potential for local SYSTEM access, but HIGHLY dependent on environment, configuration and usage restrictions)
December 16, 2003: Added URL to download patches if Symantec LiveUpdate is not supported.
A recent entry to the SecurityFocus BugTraq Vulnerability Database indicates an elevation of privilege vulnerability in the Symantec pcAnywhere application chat function when Symantec pcAnywhere is running in "service mode".
Symantec pcAnywhere version 9.x (no longer supported)
Symantec pcAnywhere version 10.x
Symantec pcAnywhere version 11.x
Symantec pcAnywhere provides a "chat session" capability during a remote control session. The host and remote users can have a chat session that is helpful for sending brief messages or instructions. As reported in the SecurityFocus Vulnerability alert, either user in the session can manipulate the GUI function while in chat mode to gain SYSTEM privileges on the local system. This could potentially gain a non-privileged, but authorized user, elevated access on the local HOST system.
By effectively manipulating the interface in the Symantec pcAnywhere chat session GUI with the underlying operating system, the non-privileged user may gain the ability to search all system files, assume full permission for all directories and files on the HOST system, or even add themselves to the local administrative group.
Symantec pcAnywhere 9.x is no longer a supported product. However, Symantec verified this vulnerability also exists in the service-mode configuration of the currently supported Symantec pcAnywhere 10.x. Symantec's current release, Symantec pcAnywhere 11.x is NOT vulnerable to this issue.
The pcAnywhere server (the HOST) is the distant or controlled device and must run in "service mode" to be managed. The pcAnywhere client (the REMOTE) is the local or controlling device and does not run in "service mode". The REMOTE manages properly configured HOSTS.
To access the chat feature, the REMOTE has to be actively interacting with the HOST and there has to be an authorized user logged on interactively at the HOST system.
It is in this configuration and only in this configuration that any potential elevation of privilege actions could be attempted. The chat feature cannot be accessed from the HOST's GUI running in the system tray until interactive communications have been established by the REMOTE.
Fixes for this issue have been made available via LiveUpdate to Symantec pcAnywhere 10.x. If LiveUpdate is not an option, patches for supported versions may also be downloaded from the following locations:
For consumer versions of Symantec pcAnywhere
For enterprise versions of Symantec pcAnywhere
Select your supported version of Symantec pcAnywhere and follow the instructions to download the appropriate update.
There are numerous mitigating circumstances that greatly reduce the risk of intentional or inadvertent exploitation of this weakness in Symantec pcAnywhere.
- Symantec pcAnywhere HOST server MUST be configured as a service by an admin-level user and launched and running on the system
- The HOST system must be in an interactive session initiated by a REMOTE client controller BEFORE any user at the HOST system could exploit this vulnerability
- If the HOST service is not already configured and running when the non-privileged user logs on, they have NO ABILITY to configure and launch Symantec pcAnywhere
- The REMOTE administrator, normally a trusted/privileged user has to initiate a management session with the local HOST system
- In the majority of instances where Symantec's pcAnywhere remote management functions would be used, the HOST system is a normally unmanned system (web, mail, file server, etc.)
- Should the REMOTE administrator be initiating a session with a manned HOST system, e.g., remote tech support of a user's desktop system, the HOST user would be a trusted/authorized user of that system, though not necessarily a privileged user
- Unauthorized system privileges can be gained ONLY on the local system, which normally limits the impact to the HOST system
- Although Symantec pcAnywhere provides remote control and management of other systems, additional identification and authentication is required by default to gain access to any remotely managed systems
- Gaining SYSTEM-level access on the local HOST system does NOT provide additional access to any remote system(s) through Symantec pcAnywhere
- Access to REMOTE management/administration capabilities should normally be restricted to trusted Administrators only with additional restricted access to the physical system(s)
Symantec strongly recommends all users of Symantec pcAnywhere version 10.x apply the latest LiveUpdate packages or upgrade to the latest release of Symantec pcAnywhere to prevent potential misuse of this local access issue.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 25-Oct-04 15:17:42