SUMMARY

Symantec resolved an unencrypted default password issue reported in Symantec's ON Command CCM and ON iCommand configuration servers. A malicious user who has privileged local access to the system that hosts the server can potentially gain access to administrative information and sensitive management/configuration data. An unauthorized user who has remote access to the network could potentially gather administrative information that could be leveraged for additional system access to the server and potentially to other systems being managed.

Risk Impact
High (heavily dependent on environment)

AFFECTED PRODUCTS

Affected Components
Symantec ON Command CCM 5.4.x (Windows, Solaris, HP-UX, Linux)
Symantec ON iCommand 3.0.x (Windows)

ISSUES

Details
A posting to the SecurityFocus BugTraq list identified an issue with unencrypted default database account information that is accessible on the Symantec ON Command CCM and Symantec ON iCommand software management solutions. Administrative access and database management information is provided by default on the management server. A user with privileged local access to the system that hosts the management server could gain administrative access to the database and gather sensitive data concerning the systems that are being managed from that host. An unauthorized user with network access could potentially capture the login system calls from the server and leverage additional unauthorized access to the management server database. Unauthorized access could allow the attacker to collect additional sensitive information or to alter configuration information on managed systems.

CVE candidate numbers have been requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once CVE candidate numbers have been assigned. These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

MITIGATION

Symantec Response
Symantec confirmed the issues discussed above and has developed solutions to resolve them.

Symantec has released a patch for all affected products that removes any default passwords and provides strong administrative password management including change control and encryption.

Symantec strongly recommends that customers apply the appropriate patch for their affected product versions immediately to protect against these types of threats.

Product patches are available on the Symantec Enterprise Support site
http://www.symantec.com/techsupp.

Symantec is not aware of any active attempts against or organizations impacted by the issues.
 

Mitigation
While this has potential to be a serious vulnerability, there are mitigating circumstances that greatly reduce the risk of intentional exploitation attempts

• To gain local access to the server information, a user must have a user account on the targeted system and be logged on interactively
• The server's default database port can be firewalled locally on the Symantec ON Command CCM server, denying access to network requests
• Access to management servers should normally be restricted to trusted Administrators only with restricted access to the physical systems.