=====================================================================
                             CERT-Renater
                 Note d'Information No. 2012/VULN051
_____________________________________________________________________
DATE                : 27/01/2012
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S) : Systems running Symantec pcAnywhere.
======================================================================
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00_______________________________________________________________________
Security Advisories Relating to Symantec Products - Symantec pcAnywhere
Remote Code Execution, Local Access File Tampering
SYM12-002
January 24, 2012
Revision History
None
Severity
High
Remote Code Execution
CVSS2 Base Score: 8.33
Impact 10.0, Exploitability 6.5
CVSS2 Vector:  (AV:A/AC:L/Au:N/C:C/I:C/A:C)
Local Access File Tampering
Medium
CVSS2 Base Score: 6.8
Impact 10.0, Exploitability 3.1
CVSS2 Vector:  (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploits Publicly Available:  No
Overview
Symantec pcAnywhere is susceptible to local file tampering elevation
of privilege attempts and  remote code execution attempts. It is
possible to  run arbitrary code on a targeted system in the context
of the application which is normally System.
Affected Product(s)
Product              Version   Build   Solution
Symantec pcAnywhere  12.5.x    All     apply hotfix
                                       in TECH179526
IT Management Suite
7.0 pcAnywhere
Solution             12.5.x    All
IT Management Suite
7.1 pcAnywhere
Solution             12.6.x    All
Note: Only the versions listed above are supported. Customers
running non-supported versions should upgrade to the latest
release and apply the provided hotfix. Symantec pcAnywhere 12.5.x
users should upgrade to the latest supported version, 12.5.3,
prior to applying the hotfix or reapply the hotfix once they
upgrade to the 12.5.3 version.
Details
Symantec was informed of remote code execution and local file
tampering elevation of privilege issues impacting Symantec
pcAnywhere. The remote code execution is the result of not
properly validating/filtering external data input during login
and authentication with Symantec pcAnywhere host services on
5631/TCP.   Under normal installation and configuration in a
network environment, access to this port should only be available
to authorized network users.  Successful exploitation would
require either gaining unauthorized network access or enticing
an authorized network user to run malicious code against a
targeted system.  Results could be a crash of the application
or possibly successful arbitrary code execution in the context
of the application on the targeted system.
Additionally, some files uploaded to the system during product
installation are installed as writable by everyone and susceptible
to file tampering.  An authorized but unprivileged user with
local access to a targeted host could potentially overwrite these
files with code of their choice in an attempt to leverage elevated
privileges.
Symantec Response
Symantec engineers verified these issues on the supported versions
identified above. Product updates are available to address these
issues. Symantec engineers continue to review all functionality to
further enhance the overall security of Symantec pcAnywhere.
Note:  Symantec pcAnywhere is shipped separately or as an optional
bundled application along with other Symantec products.  Because of
this, pcAnywhere could be present on a system but neither configured
nor enabled.  Symantec pcAnywhere is NOT susceptible to any of these
issues in a disabled/non-configured state.
If customers do not require the use of remote access capabilities,
Symantec pcAnywhere should not be enabled.  If installed but not
required, it can be uninstalled from the system.
If Symantec pcAnywhere is in use on a network or system, customers
should be following best practices regarding physical security,
endpoint security, network perimeter security, and secure remote
access (see recommended best practices below) as they should with
any remote access program.
Specific to Symantec pcAnywhere or any remote access application,
corporate firewalls should not allow inbound or outbound access to
pcAnywhere without using VPN tunnels. Additionally, companies or
individual users should employ best practices when it comes to the
configuration of Symantec pcAnywhere or any remote access application
e.g., password strength, password retry limits, always configuring
the application to require the user to approve all remote connections.
Symantec is not aware of any customers impacted by this issue, or
of any attempts to exploit it.
Information on downloading and applying the upgrade is available
from the following locations:
For Enterprise, Small & Mid-Sized Business (SMB) - Download the
update from the following location TECH179526,
http://www.symantec.com/docs/TECH179526.
or, use the LiveUpdate option, if authorized, to install this update
Home and Home Office -
pcAnywhere users who regularly run LiveUpdate should automatically
receive an updated (non-vulnerable) version. To ensure all available
updates have been applied, users can run a manual LiveUpdate as
follows:
    * Open the Symantec pcAnywhere application
    * Click LiveUpdate
    * Run LiveUpdate until all available product updates are
downloaded and installed
    * A system reboot may be required for the update to take
affect
Mitigations
Symantec Security Response has released IPS signature 25253,
"Attack: Symantec pcAnywhere Elevation of Privilege CVE-2011-3478"
that detects and blocks attempts to exploit issues of this nature.
Signatures are available through normal Symantec updates.
Best Practices
Symantec recommends the following best practices when using remote
access applications:
    * Corporate firewalls should not allow inbound or outbound
access without using VPN tunnels
    * When configuring a remote access application, establish policies
around password strength, password retry limits
    * Always configure the application to require the user to approve
all remote connections
As part of normal best practices, Symantec strongly recommends:
    * Restrict access to administration or management systems
to privileged users
    * Restrict remote access, if required, to trusted/authorized
systems only
    * Run under the principle of least privilege where possible to
limit the impact of exploit by threats
    * Keep all operating systems and applications updated with
the latest vendor patches
      Follow a multi-layered approach to security. Run both firewall
and anti-malware applications, at a minimum, to provide multiple
points of detection and protection to both inbound and outbound
threats
    * Deploy network and host-based intrusion detection systems
to monitor network traffic for signs of anomalous or suspicious
activity. This may aid in detection of attacks or malicious
activity related to exploitation of latent vulnerabilities
References
Security Focus, http://www.securityfocus.com, has assigned the
following Bugtraq IDs (BIDs) to these issues for inclusion in
the Security Focus vulnerability database:
BID 51592 for the remote code execution
BID 51593 for the local access file tampering
These issues are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security
problems. The following CVE Candidate IDs have been assigned to
these issues:
CVE-2011-3478 for the remote code execution
CVE-2011-3479 for the local access files tampering
Credit
Symantec would like to thank the following individuals for reporting
these issues and coordinating with us while Symantec resolved them.
Tal Seltzer working through TippingPoint’s Zero Day Initiative and
Edward Torkington at NGS Secure for identifying the remote code
execution issues.
Edward Torkington at NGS Secure for identifying the world-writable
files local access privilege escalation.
Symantec takes the security and proper functionality of our products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec supports and follows responsible
disclosure guidelines.
Please contact secure@symantec.com if you feel you have discovered a
security issue in a Symantec product. A member of the Symantec Product
Security team will contact you regarding your submission to coordinate
any required response. Symantec strongly recommends using encrypted
email for reporting vulnerability information to secure@symantec.com.
The Symantec Product Security PGP key can be found at the location below.Symantec has developed a Product Vulnerability Response document
outlining the process we follow in addressing suspected vulnerabilities
in our products. This document is available below.
Symantec Vulnerability Response Policy
Symantec Product Vulnerability Management PGP Key Symantec Product
Vulnerability Management PGP Key
Copyright (c) by Symantec Corp.
Permission to redistribute this alert electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Product Security. Reprinting the whole or part of this alert in any
medium other than electronically requires permission from
secure@symantec.com
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for
any direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Product Security, and
secure@symantec.com are registered trademarks of Symantec Corp.
and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks
represented in this document are the sole property of their
respective companies/owners.
* Signature names may have been updated to comply with an updated
IPS Signature naming convention. See
http://www.symantec.com/business/support/index?page=content&id=TECH152794&key=54619&actp=LIST
for more information.
Last modified on: January 24, 2012
======================================================================
              =========================================================
              Les serveurs de référence du CERT-Renater
              http://www.cru.fr/securite
              http://www.renater.fr
              =========================================================
              + CERT-RENATER          | tel : 01-53-94-20-44          +
              + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
              + 75013 Paris           | email: certsvp@renater.fr     +
              =========================================================
--------------ms080003070100090203040405