Symantec Norton AntiVirus Corporate Edition 7.x local LiveUpdate Server login information in clear
1008
06 March 2020
28 February 2002
CLOSED
LOW
SUMMARY
Reference
SecurityFocus BugTraq ID 4170, Symantec Norton AntiVirus LiveUpdate Plaintext Credentials Vulnerability
Risk Impact
Low
AFFECTED PRODUCTS
Affected Components
Norton AntiVirus Corporate Edition 7.x
ISSUES
Details
Symantec is aware of a recent posting to the SecurityFocus BugTraq mailing list by Javier Sanchez concerning an issue that exposes the LiveUpdate username and password.
According to Mr. Sanchez, Norton Antivirus Corporate Edition stores LiveUpdate username and password information in clear text in the registry on client systems.
A user with access to one of these client systems can run regedit and search for this information in the appropriate registry key.
MITIGATION
Symantec Response
Symantec's Norton AntiVirus Corporate Edition provides the administrator the ability to push LiveUpdate definitions out to individual clients or to configure each client with a read-only username and password access to an internal local LiveUpdate server to download local updates. While the local username and password were stored in the registry in the clear in LiveUpdate 1.5, LiveUpdate 1.6 and later versions encrypt this username and password by default.
Symantec would like to emphasis that in all instances, the username and password pair is NOT connected with authentication to access Symantec's LiveUpdate server. The username and password in question is ONLY associated with the local network internal server.
Symantec is aware of the issue addressed by Mr. Sanchez and it is not a LiveUpdate issue. Rather it is an internal server issue when passing the username and password to the client system that is affecting the password encryption causing the clear text exposure. This problem is currently being addressed and will be available for update as soon as it is fully tested.
ACKNOWLEDGEMENTS
Symantec appreciates the concern of Mr. Javier Sanchez and takes the security of our products very seriously. We would like to re-emphasize however, that this read-only username/password is for internal server access only. Additionally, if company policy is such that all updates are controlled at a centralized server and pushed out to client systems, the issue in question does not exist.