WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
SYM06-003
March 07, 2006
Symantec Ghost: Local access vulnerabilities in Database

Revision History
3/16/2006 - advisory updated to better identify the cause of the problems discovered and addressed in Symantec Ghost Solutions Suite 1.0 database implementation
3/23/2006 - Added assigned CVE numbers

Risk Impact
low (Highly configuration dependent)

Remote AccessNo
Local AccessYes
Authentication RequiredYes
Exploit publicly availableNo

Overview

Symantec engineers updated the db component to address three local access vulnerabilities discovered in the database installed with Symantec Ghost and the Central Management Console in Symantec Ghost Solutions Suite (SGSS) 1.0. Exploitation of any of these issues requires physical access to the host system. Successful exploitation by a malicious local user could result in unauthorized information disclosure, modification or destruction of stored administrative data or could possibly be leveraged by a non-privileged local user to potentially gain additional access on the local system.

Affected Product(s)

ProductVersionBuildSolution
Symantec Ghost8.0 (EOL / EOS 11/15/2005)AllSymantec Ghost 8.3 shipped as a part of Symantec Ghost Solutions Suite 1.1
Symantec Ghost8.2 (shipped as a part of SGSS 1.0)AllSymantec Ghost 8.3 shipped as a part of Symantec Ghost Solutions Suite 1.1

Details
The three local access vulnerabilities addressed in Symantec Ghost Solutions Suite 1.1 were:

  • A default administrator login/password pair left during installation that could allow a malicious local user to modify or delete stored administrative tasks. To successfully exploit this issue, a malicious user would require local access to as well as authorization on the targeted system. A non-privileged malicious local user could possibly modify tasks to run arbitrary code on the local system that could potentially be leveraged to gain additional system access.
  • A memory mapping permission issue occurring in shared-memory in the database installation. Shared memory sections are read/write for all users. A non-privileged local user could potentially gain unauthorized access to information stored in the database or possibly be able to successfully alter stored information.
  • A buffer overflow in the login dialog of the version of dbisqlc.exe installed with the run-time edition of the database that could result in unauthorized information disclosure. The dbisqlc.exe component is not used by default in Symantec Ghost, but is installed as a part of the db package in the event a client should want to use it. In normal installations, dbisqlc is a non-privileged interactive database client which would limit anything gained by exploiting this issue. However, successful exploitation could provide a non-privileged local user access to information stored in the database that should not and would not normally be accessible.

Symantec Response
Symantec engineers have verified all issues and fixes have been released in Symantec Ghost Solutions Suite 1.1 for all languages.

Symantec engineers determined the problems existed in the implementation of the older SQLAnywhere version installed with earlier Symantec Ghost products. The latest release of SyBase SQLAnywhere 9.0 integrated with Symantec Ghost Solutions Suite 1.1 fully addresses these issues.

Symantec recommends customers upgrade to the latest release of Symantec Ghost Solutions Suite 1.1. Contact your appropriate support channels for upgrade information.

NOTE: In a recommended installation, the system hosting the Symantec Ghost Console component of Symantec Ghost Solutions Suite should be restricted to trusted, privileged access users only. This prevents non-privileged local users from accessing or modifying data stored on the system.

Symantec is not aware of any exploit of or adverse customer impact from these issues.

As normal best practices, Symantec strongly recommends:

  • Restricting access to administration or management systems to privileged users only with additional restricted access to the physical host system(s) if possible.
  • Running under the principle of least privilege where possible to limit the impact of exploit by threats such as this.
  • Keeping all operating systems and applications updated with the latest vendor patches.
  • Following a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum to provide multiple points of detection and protection to both inbound and outbound threats.

CVE
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2006-1284 to the default login issue
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2006-1285 to the memory mapping issue.
The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2006-1286 to the login dialog overflow issue.
These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Credit
Ollie Whitehouse, Symantec, identified these issues in Symantec Ghost Solution Suite 1.0.


Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the end of this message.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key


Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Initial Post on: Tuesday, 07-Mar-06 11:30:00
Last modified on: Friday, 24-Mar-06 19:58:04