Symantec releases pcAnywhere hotfix to address remote code execution

Published by

This hotfix addresses the issues outlined in the pcAnywhere Security Advisory. Symantec recommends that this hotfix is applied to your current pcAnywhere installation.

According to Symantec:

"Symantec pcAnywhere is susceptible to local file tampering elevation of privilege attempts and remote code execution attempts. It is possible to run arbitrary code on a targeted system in the context of the application which is normally System."

Details
Symantec was informed of remote code execution and local file tampering elevation of privilege issues impacting Symantec pcAnywhere. The remote code execution is the result of not properly validating/filtering external data input during login and authentication with Symantec pcAnywhere host services on 5631/TCP. Under normal installation and configuration in a network environment, access to this port should only be available to authorized network users. Successful exploitation would require either gaining unauthorized network access or enticing an authorized network user to run malicious code against a targeted system. Results could be a crash of the application or possibly successful arbitrary code execution in the context of the application on the targeted system.

Additionally, some files uploaded to the system during product installation are installed as writable by everyone and susceptible to file tampering. An authorized but unprivileged user with local access to a targeted host could potentially overwrite these files with code of their choice in an attempt to leverage elevated privileges.

Symantec Response
Symantec engineers verified these issues on the supported versions identified above. Product updates are available to address these issues. Symantec engineers continue to review all functionality to further enhance the overall security of Symantec pcAnywhere.

Note: Symantec pcAnywhere is shipped separately or as an optional bundled application along with other Symantec products. Because of this, pcAnywhere could be present on a system but neither configured nor enabled. Symantec pcAnywhere is NOT susceptible to any of these issues in a disabled/non-configured state.

If customers do not require the use of remote access capabilities, Symantec pcAnywhere should not be enabled. If installed but not required, it can be uninstalled from the system.

If Symantec pcAnywhere is in use on a network or system, customers should be following best practices regarding physical security, endpoint security, network perimeter security, and secure remote access (see recommended best practices below) as they should with any remote access program.

Specific to Symantec pcAnywhere or any remote access application, corporate firewalls should not allow inbound or outbound access to pcAnywhere without using VPN tunnels. Additionally, companies or individual users should employ best practices when it comes to the configuration of Symantec pcAnywhere or any remote access application e.g., password strength, password retry limits, always configuring the application to require the user to approve all remote connections.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit it.

Information on downloading and applying the upgrade is available from the following locations:

For Enterprise, Small & Mid-Sized Business (SMB) - Download the update from the following location TECH179526, http://www.symantec.com/docs/TECH179526.

or, use the LiveUpdate option, if authorized, to install this update


Home and Home Office -

pcAnywhere users who regularly run LiveUpdate should automatically receive an updated (non-vulnerable) version. To ensure all available updates have been applied, users can run a manual LiveUpdate as follows:

- Open the Symantec pcAnywhere application
- Click LiveUpdate
- Run LiveUpdate until all available product updates are downloaded and installed
- A system reboot may be required for the update to take affect

Mitigations
Symantec Security Response has released IPS signature 25253, "Attack: Symantec pcAnywhere Elevation of Privilege CVE-2011-3478" that detects and blocks attempts to exploit issues of this nature. Signatures are available through normal Symantec updates.