Enterprise Vault Discovery Collector can display the Vault Service Account password under certain conditions.

Article:TECH201661  |  Created: 2013-01-15  |  Updated: 2013-08-06  |  Article URL http://www.symantec.com/docs/TECH201661
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



After selecting the 'View Source' option in the Enterprise Vault Discovery Collector (EVDC) Data Sources tab main page, the Vault Service Account (VSA) password can be seen under certain conditions.

 


Environment



Symantec Enterprise Vault Discovery Collector 9.x or 10.x.

 


Cause



The security restrictions on the 'View Source' option of the EVDC Data Sources tab main page will allow the Vault Service Account (VSA) password to be displayed only if that password was entered on the page prior to selecting the 'View Source' option.

 


Solution



This is a very limited use case that can cause unauthorized view of the Vault Service Account.  For such unauthorized viewing to occur, the VSA password must have first been entered into the EVDC Data Source main page by someone authorized to have that password.  Then, any of the following actions / conditions must occur:

  1. An unauthorized person must be 'looking over the shoulder' of the EVDC administrator while he or she is viewing the 'View Source' page, or
  2. The EVDC administrator must be participating in a screen sharing application with an unauthorized person viewing the administrator's screen, or
  3. The EVDC administrator must print the 'View Source' page contents and an unauthorized person access the printer to view the printout prior to the administrator, or
  4. An EVDC user without knowledge of the VSA credentials must access the 'data sources' tab, then access the Enterprise Vault page, then use the option on the page.

To prevent unauthorized viewing of the VSA password from the 'View Source' page:

  1. Do not allow any unauthorized persons to view the EVDC administrator's screen while displaying the 'View Source' page after the VSA password has been entered -
    1. Click off of the 'View Source' page when unauthorized persons are near the EVDC administrator's area.
    2. Do not participate in screen sharing applications while viewing the 'View Source' page.
  2. Do not print the 'View Source' page contents on a remote or shared printer unless a person authorized to have the VSA password is waiting by the printer for the printout.

Symantec recommends implementing physical and procedural security policies to mitigate the possible exposure of the VSA password through the viewing of the 'View Source' page of any web accessed application.

For Enterprise Vault Discovery Collector 9.0:

This issue has been resolved in Enterprise Vault Discovery Collector 9.0 Service Pack 4 (EVDC 9.0.0).  EVDC 9.0, 9.0.1 or 9.0.2 installations must be upgraded to EVDC 9.0.3 before upgrading to 9.0.4.  For information on obtaining EVDC 9.0.4, see Technical Article TECH69036 in the Related Articles section below.

 For Enterprise Vault Discovery Collector 10.0:

There are currently no plans to address this issue by way of a patch or hotfix in the current or previous versions of the software at the present time. This issue may be resolved in a future major revision of the software at a later time. However, this particular issue is not currently scheduled for any release.  If you feel this issue has a direct business impact for you and your continued use of the product, please contact your Symantec Sales representative or the Symantec Sales group to discuss these concerns.  For information on how to contact Symantec Sales, please see http://www.symantec.com

 


Supplemental Materials

SourceETrack
Value3095909
Description

Any Discovery Collector user can see the Vault Service Account password when performing a 'View Source' on the 'data source' tab after the VSA credentials have been configured and saved by an EV administrator on that page.




Article URL http://www.symantec.com/docs/TECH201661


Terms of use for this information are found in Legal Notices