High (heavily dependent on environment)
Symantec resolved an unencrypted default password issue reported in Symantec's ON Command CCM and ON iCommand configuration servers. A malicious user who has privileged local access to the system that hosts the server can potentially gain access to administrative information and sensitive management/configuration data. An unauthorized user who has remote access to the network could potentially gather administrative information that could be leveraged for additional system access to the server and potentially to other systems being managed.
Symantec ON Command CCM 5.4.x (Windows, Solaris, HP-UX, Linux)
Symantec ON iCommand 3.0.x (Windows)
A posting to the SecurityFocus BugTraq list identified an issue with unencrypted default database account information that is accessible on the Symantec ON Command CCM and Symantec ON iCommand software management solutions. Administrative access and database management information is provided by default on the management server. A user with privileged local access to the system that hosts the management server could gain administrative access to the database and gather sensitive data concerning the systems that are being managed from that host. An unauthorized user with network access could potentially capture the login system calls from the server and leverage additional unauthorized access to the management server database. Unauthorized access could allow the attacker to collect additional sensitive information or to alter configuration information on managed systems.
Symantec confirmed the issues discussed above and has developed solutions to resolve them.
Symantec has released a patch for all affected products that removes any default passwords and provides strong administrative password management including change control and encryption.
Symantec strongly recommends that customers apply the appropriate patch for their affected product versions immediately to protect against these types of threats.
Product patches are available on the Symantec Enterprise Support site
Symantec is not aware of any active attempts against or organizations impacted by the issues.
While this has potential to be a serious vulnerability, there are mitigating circumstances that greatly reduce the risk of intentional exploitation attempts
- To gain local access to the server information, a user must have a user account on the targeted system and be logged on interactively
- The server's default database port can be firewalled locally on the Symantec ON Command CCM server, denying access to network requests
- Access to management servers should normally be restricted to trusted Administrators only with restricted access to the physical systems.
CVE candidate numbers have been requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once CVE candidate numbers have been assigned.
These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 25-Oct-04 22:33:35