Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: pcAnywhere users – patch now! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
pcAnywhere users – patch now!

Symantec released a patch for pcAnywhere products that fixes couple of vulnerabilities, among which the most dangerous one allows remote code execution. You can see Symantec’s advisory here.

Now, for last couple of weeks there have been a lot of rumors about source code of several Symantec’s products that got stolen by yet unknown hackers. Besides a post that listed file names nothing else has been released in public yet, as far as we know.

However, Symantec also released a document (available here) that details security recommendations for pcAnywhere users. It is obvious that Symantec is aware of how critical published vulnerabilities are. It makes us wonder if there already have been active exploitation of the published vulnerabilities or Symantec is just extra careful?

We’ll keep an eye on this, and if you are a pcAnywhere user – PATCH NOW.

Update

And a short update: according to DShield data it appears that someone started scanning around for services on port 5631 (pcAnywhere). While the number of sources is still relatively low (indicating a single scanner, or a small number of them), the number of targets is pretty high. See for yourself here.

Update 2

Just further to the information Bojan has already provided.  Keep in mind that pcAnywhere is part of a number of Symantec products including backup, security and of course it is part of the Altiris management suite. - MH

 

--
Bojan
INFIGO IS

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler
There is some noise in blogosphere about Symantec saying that everyone should stop using pcAnywhere, you're saying to merely patch it - which is the correct response? http://nakedsecurity.sophos.com/2012/01/25/symantec-stop-pcanywhere/
oleksiy

34 Posts
There is definitely word going around that Symantec recommends removing their pcAnywhere product completely. The patches fix a couple of vulnerabilities, but the rest of the problem involves the encryption used by it. Computerworld suggests that the private key was hard-coded into the source code that was stolen in 2006 in a network security breach. This code is now apparently in the possession of Anonymous.
AndrewB

24 Posts
- http://clientui-kb.symantec.com/kb/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH179526
Updated: 2012-01-27
.
Jack

160 Posts
- http://clientui-kb.symantec.com/kb/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH179526
Updated: 2012-01-28 - Technical Solution for pcAnywhere 12.0 12.5 12.5 SP3, pcAnywhere Solution 12.5 12.6 12.6.2
.
Jack

160 Posts
Does this affect pcAny 11, too? I'm using ver. 11.0.1.764 + awhseq.dll and awhlogon.dll ver. 11.0.1.778, which are the latest and last updates to PCA 11, as far as I know. Core files date back to 2003, so I was wondering if it uses the same compromised encryption scheme.
Jack
1 Posts
@ LLuke
- http://www.reuters.com/article/2012/01/30/us-symantec-hacking-idUSTRE80T1TA20120130
Jan 30, 2012 - "... Symantec is offering free upgrades to pcAnywhere 12.5 at no charge to all customers, even those using old editions that would not typically qualify for support.... contact the company via email for more information: pcanywhere@symantec.com "
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!