My next class:
Web App Penetration Testing and Ethical HackingAmsterdamMar 31st - Apr 5th 2025

pcAnywhere users ? patch now!

Published: 2012-01-25. Last Updated: 2012-01-26 04:51:20 UTC
by Bojan Zdrnja (Version: 1)
6 comment(s)

Symantec released a patch for pcAnywhere products that fixes couple of vulnerabilities, among which the most dangerous one allows remote code execution. You can see Symantec’s advisory here.

Now, for last couple of weeks there have been a lot of rumors about source code of several Symantec’s products that got stolen by yet unknown hackers. Besides a post that listed file names nothing else has been released in public yet, as far as we know.

However, Symantec also released a document (available here) that details security recommendations for pcAnywhere users. It is obvious that Symantec is aware of how critical published vulnerabilities are. It makes us wonder if there already have been active exploitation of the published vulnerabilities or Symantec is just extra careful?

We’ll keep an eye on this, and if you are a pcAnywhere user – PATCH NOW.

Update

And a short update: according to DShield data it appears that someone started scanning around for services on port 5631 (pcAnywhere). While the number of sources is still relatively low (indicating a single scanner, or a small number of them), the number of targets is pretty high. See for yourself here.

Update 2

Just further to the information Bojan has already provided.  Keep in mind that pcAnywhere is part of a number of Symantec products including backup, security and of course it is part of the Altiris management suite. - MH

 

--
Bojan
INFIGO IS

Keywords: pcAnywhere Symantec
6 comment(s)
My next class:
Web App Penetration Testing and Ethical HackingAmsterdamMar 31st - Apr 5th 2025

Comments

There is some noise in blogosphere about Symantec saying that everyone should stop using pcAnywhere, you're saying to merely patch it - which is the correct response? http://nakedsecurity.sophos.com/2012/01/25/symantec-stop-pcanywhere/
There is definitely word going around that Symantec recommends removing their pcAnywhere product completely. The patches fix a couple of vulnerabilities, but the rest of the problem involves the encryption used by it. Computerworld suggests that the private key was hard-coded into the source code that was stolen in 2006 in a network security breach. This code is now apparently in the possession of Anonymous.
- http://clientui-kb.symantec.com/kb/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH179526
Updated: 2012-01-27
.
- http://clientui-kb.symantec.com/kb/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH179526
Updated: 2012-01-28 - Technical Solution for pcAnywhere 12.0 12.5 12.5 SP3, pcAnywhere Solution 12.5 12.6 12.6.2
.
Does this affect pcAny 11, too? I'm using ver. 11.0.1.764 + awhseq.dll and awhlogon.dll ver. 11.0.1.778, which are the latest and last updates to PCA 11, as far as I know. Core files date back to 2003, so I was wondering if it uses the same compromised encryption scheme.
@ LLuke
- http://www.reuters.com/article/2012/01/30/us-symantec-hacking-idUSTRE80T1TA20120130
Jan 30, 2012 - "... Symantec is offering free upgrades to pcAnywhere 12.5 at no charge to all customers, even those using old editions that would not typically qualify for support.... contact the company via email for more information: pcanywhere@symantec.com "
.

Diary Archives