1/27/2012 - Added hot fix information for Symantec pcAnywhere versions 12.0.x and 12.1.x if customers are unable to follow the upgrade recommendations to 12.5 SP3. Link to Technical White Paper "Symantec pcAnywhere Security Recommendations"
Updates to "Affected Products" and "Products Not Affected"
2/3/2012 - Update URL to new hotfix doc TECH179960 with additional information on the latest hotfix roll-up and updating to the latest supported product version release. Clarification for pcAnywhere versions prior to 12.x. While older versions of pcAnywhere are affected. They are no longer supported. Users are strongly advised to upgrade to the latest release.
Added information on additional potential vulnerabilities found during on-going code review that could cause instability in the pcAnywhere client or server.
2/10/2012 - Update URL to new hot fix doc TECH182142 with additional information on the latest hot fix roll-up and updating to the latest supported product version release.
3/1/2012 - Symantec released an new Symantec pcAnywhere security advisory, SYM12-003, which includes a roll-up hotfix of all previous updates for pcAnywhere. All references have been updated in this advisory to point to the new TECH182142.
4/9/2012 – Symantec released the latest version of pcAnywhere: pcAnywhere 12.5 SP4 and pcAnywhere Solution 12.6.7 which included many performance enhancements, all of the previous released security updates and enhancements to the security model of pcAnywhere. Symantec recommends all pcAnywhere users move to the latest release of their respective product.
Remote Code Execution
CVSS2 Base Score: 8.33
Impact 10.0, Exploitability 6.5
CVSS2 Vector: (AV:A/AC:L/Au:N/C:C/I:C/A:C)
Exploit Publicly Available : Highly Likely
Local Access File Tampering
CVSS2 Base Score: 6.8
Impact 10.0, Exploitability 3.1
CVSS2 Vector: (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploits Publicly Available: No
Access Violation Open Client Session
CVSS2 Base Score: 7.5
Impact 8.5, Exploitability 6.8
CVSS2 Vector: (AV:N/AC:M/Au:S/C:C/I:P/A:P)
Exploits Publicly Available: No
Malformed or unexpected Input Denial of Service
CVSS2 Base Score: 6.8
Impact 6.9, Exploitability 8
CVSS2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Exploits Publicly Available: No
Symantec pcAnywhere is susceptible to local file tampering elevation of privilege attempts and remote code execution attempts. It is possible to run arbitrary code on a targeted system in the context of the application which is normally System. Symantec pcAnywhere is also susceptible to access violation and input instability issues that could potentially prevent fully closing a remote client connection or result in a server or client denial of service.
Upgrade to the latest release of pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7. For instructions, see the following article:
The hot fixes identified in TECH182142 have been back ported to support Symantec pcAnywhere 12.0.x and 12.1.x for customers currently unable to upgrade to Symantec pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7
Symantec strongly recommends that customers upgrade at the first opportunity to the latest release of pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7
If you are using an earlier version of Symantec pcAnywhere 12.5, SP1 or SP2, and have already applied the hot fixes, you WILL need to reapply the hot fixes in TECH182142 after upgrading to Symantec pcAnywhere 12.5 SP3
Product(s) Not Affected
Altiris IT Management Suite
Altiris Client Management Suite
Altiris Deployment Solution
Note: Symantec's Altiris products are NOT impacted by this issue. Only the pcAnywhere solutions deployed and implemented as part of the product suite are impacted.
Symantec was informed of remote code execution and local file tampering elevation of privilege issues impacting Symantec pcAnywhere. The remote code execution is the result of not properly validating/filtering external data input during login and authentication with Symantec pcAnywhere host services on 5631/TCP. Under normal installation and configuration in a network environment, access to this port should only be available to authorized network users. Successful exploitation would require either gaining unauthorized network access or enticing an authorized network user to run malicious code against a targeted system. Results could be a crash of the application or possibly successful arbitrary code execution in the context of the application on the targeted system.
Additionally, some files uploaded to the system during product installation are installed as writable by everyone and susceptible to file tampering. An authorized but unprivileged user with local access to a targeted host could potentially overwrite these files with code of their choice in an attempt to leverage elevated privileges.
During code reviews, Symantec engineers identified additional areas of weakness that are being addressed in updates to the original hotfix. During a valid client server session unexpected input to the client can result in an exception error. This can generate an access violation resulting in the remote session being dropped but leaving the client session open in specific instances. This could potentially enable an unauthorized connection to the client session.
Malformed input to a client or server or, an unexpected response to a request could potentially destabilize the application causing it to hang or crash resulting in a denial of service. A manual restart of the Symantec pcAnywhere service would be required.
Symantec engineers verified these issues on the supported versions identified above. Product updates are available to address these issues. Symantec engineers continue to review all functionality to further enhance the overall security of Symantec pcAnywhere. Updates will be identified in revisions to this advisory as required.
If customers do not require the use of remote access capabilities, Symantec pcAnywhere should not be enabled. If Symantec pcAnywhere is installed but not required, it can be uninstalled from the system.
If Symantec pcAnywhere is in use on a network or system, customers should be following best practices regarding physical security, endpoint security, network perimeter security, and secure remote access (see recommended best practices below) as they should with any remote access program.
Specific to Symantec pcAnywhere or any remote access application, corporate firewalls should not allow inbound or outbound access to pcAnywhere without using VPN tunnels.
Companies or individual users should employ best practices when it comes to the configuration of Symantec pcAnywhere or any remote access application e.g.,
password retry limits,
always configuring the application to require the user to approve all remote connections.
Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit it in the wild.
If you are not currently able to move to the latest Symantec release; pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7, at least ensure you are running the most current hot fixes for your pcAnywhere application available from the following location:
TECH182142 provides the most current updated hot fix to include all available patches
If you have already applied the previous hot fix from TECH179960, you will still need to apply this TECH182142 hot fix to receive the latest updates.
If you have NOT applied the previous hot fix from TECH179960, then you just need to apply the latest TECH182142 hot fix
LiveUpdate Option for Home and Home Office users of Symantec pcAnywhere 12.5.x:
Symantec pcAnywhere 12.5.x users who run automatic LiveUpdate will automatically receive updates to Symantec pcAnywhere 12.5 SP3 and all available hot fixes
Users running Symantec pcAnywhere supported versions prior to 12.5.x (12.0.x or 12.1.x) will NOT receive these upgrades or hot fixes through LiveUpdate. Symantec strongly recommends following guidance in TECH182142 for upgrading to pcAnywhere 12.5 SP3 and then apply all available updates
Symantec pcAnywhere 12.5.x users should run a manual LiveUpdate as follows to ensure they have the latest updates available:
Open the Symantec pcAnywhere 12.5.x application
Click Help > LiveUpdate
Run LiveUpdate until all available product updates are downloaded and installed
A system reboot may be required for the update to take affect
Once all updates have been applied, review update and build information found in TECH182142 to ensure you have updated your Symantec pcAnywhere application to the latest available build.
Mitigations Symantec Security Response has released IPS signature 25253, "Attack: Symantec pcAnywhere Elevation of Privilege CVE-2011-3478" that detects and blocks attempts to exploit issues of this nature. Signatures are available through normal Symantec updates.
Symantec recommends the following best practices when using remote access applications:
Corporate firewalls should not allow inbound or outbound access without using VPN tunnels
When configuring a remote access application, establish policies around password strength, password retry limits
Always configure the application to require the user to approve all remote connections
As part of normal best practices, Symantec strongly recommends:
Restrict access to administration or management systems to privileged users
Restrict remote access, if required, to trusted/authorized systems only
Run under the principle of least privilege where possible to limit the impact of exploit by threats
Keep all operating systems and applications updated with the latest vendor patches
Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats
Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
Security Focus, http://www.securityfocus.com, has assigned the following Bugtraq IDs (BIDs)
BID 51592 for the remote code executions
BID 51593 for the local access file tampering
BID 51862 for the access violation open client session
BID 51965 for the Denial of Service
These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The following CVE Candidate IDs have been assigned to these issues:
CVE-2011-3478 for the remote code executions
CVE-2011-3479 for the local access files tampering
CVE-2012-0290 for the access violation open client session
CVE-2012-0291 for the Denial of Service
Credit Symantec would like to thank the following individuals for reporting these issues and coordinating with us while Symantec resolved them.
Tal zeltzer working through TippingPoint’s Zero Day Initiative and Edward Torkington at NGS Secure for identifying the remote code execution issues.
Edward Torkington at NGS Secure for identifying the world-writable files local access privilege escalation.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines.
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the location below.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.