SUMMARY

Risk Impact
Medium

AFFECTED PRODUCTS

ADDITIONAL PRODUCT INFORMATION

Non-Affected Products

ISSUES

Details
LiveUpdate server login name and password are written to a local log file in clear text. This happens when the LiveUpdate client checks for updates from the server. This is only an issue when a local LiveUpdate server is used with a login name and password.

The login name and password belong to the account configured by the LiveUpdate server administrator for accessing LiveUpdate packages. Symantec strongly recommends that this user account be unique for accessing LiveUpdate packages only, and have no other system access. The system administrator account should never be used for this purpose.

Note: As stated in the LiveUpdate download readme file: LiveUpdate version 2.7.x does not support the LiveUpdate Administration Utility, Version 1.5.x. If you are running a system as a Central LiveUpdate server please go to http://www.symantec.com/techsupp/files/lu/lu.html and download Version 1.5.4.15 update for the LiveUpdate Administration Utility.

MITIGATION

Symantec Response
An update for the LiveUpdate 2.7 client has been released and can be downloaded from the following location:

http://www.symantec.com/techsupp/files/lu/lu.html

Symantec is not aware of any active attempts against or organizations impacted by this issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats

ACKNOWLEDGEMENTS

Symantec thanks Arthur Freyman, for notification of this issue and coordination of disclosure as it was resolved

REVISION

Discovery Date:
August 31, 2005 - Bugtraq posting (Vulnerability in Symantec Anti Virus Corporate Edition v9.x)