SUMMARY

Symantec pcAnywhere fails to properly protect remote user credentials stored in memory.

Risk Impact
Low

AFFECTED PRODUCTS

Note: Symantec pcAnywhere version 11.5.x is no longer a supported product. However a fix for this version in being developed and will be available at a later date. This fix will be made available on an as is basis with no support available. Users who wish to have full product support are encouraged to upgrade to the latest supported version.

ISSUES

Details
A remote user’s connection credentials are stored in clear text with in the Symantec pcAnywhere host server’s process memory when a remote session is requested. The last remote users logged in credentials are stored in clear text in the memory while the Symantec pcAnywhere host is active on the host machine. The credentials of a remote user requesting a session connection can be compromised if a user with administration rights on the host machine utilizes tools to dump the process memory, and search and discover remote user's credentials.

MITIGATION

Mitigations
Limit access to administrator account. Without administrative access, the heap memory cannot be dumped and remote credentials discovered.

Symantec Response
Symantec has released updates for all affected product version currently supported by Symantec. These updates are available through Symantec’s LiveUpdate.

To date, Symantec is not aware of any reported attempts to exploit this vulnerability.

ACKNOWLEDGEMENTS

Symantec would like to thank Jeremy Lebourdais of EdelWeb for reporting this issue to Symantec, and working with us on the resolution.