[NT] Symantec LiveUpdate Stores Information Insecurely (LiveUpdate, Ghost)
From: support@securiteam.comDate: 03/09/02
- Previous message: support@securiteam.com: "[TOOL] Onesixtyone, an Efficient SNMP Scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 9 Mar 2002 00:25:34 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Symantec LiveUpdate Stores Information Insecurely (LiveUpdate, Ghost)
------------------------------------------------------------------------
SUMMARY
Norton Antivirus Corporate Edition, like other Symantec products, includes
LiveUpdate. LiveUpdate stores Username and Password information in clear
text in the registry. Symantec's Ghost suffers from this problem as well;
other Symantec products may be affected.
DETAILS
Vulnerable systems:
Symantec Ghost version 7.0
Symantec Ghost version 7.5
Norton Antivirus Corporate Edition
Any user with the client installed can run "regedit" and read the values
under:
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\LiveUpdateSource
Or:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NGServer\params
To discover the username and password used by the product.
In the case of Ghost, the product creates a special user account on the
machine to run the service under but it seems it is storing the password
for this account in plain text in the registry.
Vendor response:
About NAV:
Symantec's Norton Antivirus Corporate Edition provides the administrator
the ability to push LiveUpdate definitions out to individual clients or to
configure each client with a read-only username and password access to an
internal local LiveUpdate server to download local updates. While the
local username and password were stored in the registry in the clear in
LiveUpdate 1.5, LiveUpdate 1.6 and later versions encrypt this username
and password by default
Symantec would like to emphasis that in all instances, the username and
password pair is NOT connected with authentication to access Symantec's
LiveUpdate server. The username and password in question is ONLY
associated with the local network internal server. Symantec is aware of
the issue addressed by Mr. Sanchez and it is not a LiveUpdate issue.
Rather it is an internal server issue when passing the username and
password to the client system that is affecting the password encryption
causing the clear text exposure. This problem is currently being
addressed and will be available for update as soon as it is fully tested.
Symantec appreciates the concern of Mr. Sanchez and takes the security of
our products very seriously. We would like to re-emphasize however, that
this read-only username/password is for internal server access only.
Additionally, if company policy is such that all updates are controlled at
a centralized server and pushed out to client systems, the issue in
question does not exist.
About Symantec Ghost:
During the installation process for Symantec Ghost Corporate Edition, the
key in question is created with Administrator access only by default.
Normal best practice procedures of administrators allowing "least
privilege" access to normal system users would preclude access to any
unauthorized registry information by anyone other than a user with
administrator privileges.
Unauthorized access to the system registry presents security concerns for
any program(s), which use the registry to persist data. Protection of
your system includes restricting physical access to your system and
restricting administrative privileges.
Symantec take the security of our products very seriously and appreciates
the concerns of Mr. Miller. Symantec is constantly working to improve our
products and we will be reviewing additional protective measures for this
key in future upgrades.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jsanchez157@hotmail.com>
Javier Sanchez, <mailto:pcmiller61@yahoo.com> Peter Miller, and
<mailto:calanan@gogstats.org> Calanan, Michael.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] Onesixtyone, an Efficient SNMP Scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
