Local LiveUpdate server username / password information revealed by client

1068

06 March 2020

02 September 2005

CLOSED

MEDIUM

SUMMARY

 

Risk Impact
Medium

Remote Access

Yes

Local Access

Yes

Authentication Required

Yes

Exploit publicly available

No

 

AFFECTED PRODUCTS

 

Product

Version

Build

Solution

LiveUpdate Client

2.7

34

LiveUpdate Client Update

 

ADDITIONAL PRODUCT INFORMATION

 

Non-Affected Products

Product

Version

Build

LiveUpdate Client

2.5

All

LiveUpdate Client

2.6

All

 

ISSUES

 

Details
LiveUpdate server login name and password are written to a local log file in clear text. This happens when the LiveUpdate client checks for updates from the server. This is only an issue when a local LiveUpdate server is used with a login name and password.

The login name and password belong to the account configured by the LiveUpdate server administrator for accessing LiveUpdate packages. Symantec strongly recommends that this user account be unique for accessing LiveUpdate packages only, and have no other system access. The system administrator account should never be used for this purpose.

Note: As stated in the LiveUpdate download readme file: LiveUpdate version 2.7.x does not support the LiveUpdate Administration Utility, Version 1.5.x. If you are running a system as a Central LiveUpdate server please go to http://www.symantec.com/techsupp/files/lu/lu.html and download Version 1.5.4.15 update for the LiveUpdate Administration Utility.

MITIGATION

 

Symantec Response
An update for the LiveUpdate 2.7 client has been released and can be downloaded from the following location:

http://www.symantec.com/techsupp/files/lu/lu.html

Symantec is not aware of any active attempts against or organizations impacted by this issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats

ACKNOWLEDGEMENTS

 

Symantec thanks Arthur Freyman, for notification of this issue and coordination of disclosure as it was resolved

REVISION

 

Discovery Date:
August 31, 2005 - Bugtraq posting (Vulnerability in Symantec Anti Virus Corporate Edition v9.x)