Local LiveUpdate server username / password information revealed by client
1068
06 March 2020
02 September 2005
CLOSED
MEDIUM
SUMMARY
Risk Impact
Medium
Remote Access |
Yes |
Local Access |
Yes |
Authentication Required |
Yes |
Exploit publicly available |
No |
AFFECTED PRODUCTS
Product |
Version |
Build |
Solution |
LiveUpdate Client |
2.7 |
34 |
ADDITIONAL PRODUCT INFORMATION
Non-Affected Products
Product |
Version |
Build |
LiveUpdate Client |
2.5 |
All |
LiveUpdate Client |
2.6 |
All |
ISSUES
Details
LiveUpdate server login name and password are written to a local log file in clear text. This happens when the LiveUpdate client checks for updates from the server. This is only an issue when a local LiveUpdate server is used with a login name and password.
The login name and password belong to the account configured by the LiveUpdate server administrator for accessing LiveUpdate packages. Symantec strongly recommends that this user account be unique for accessing LiveUpdate packages only, and have no other system access. The system administrator account should never be used for this purpose.
Note: As stated in the LiveUpdate download readme file: LiveUpdate version 2.7.x does not support the LiveUpdate Administration Utility, Version 1.5.x. If you are running a system as a Central LiveUpdate server please go to http://www.symantec.com/techsupp/files/lu/lu.html and download Version 1.5.4.15 update for the LiveUpdate Administration Utility.
MITIGATION
Symantec Response
An update for the LiveUpdate 2.7 client has been released and can be downloaded from the following location:
http://www.symantec.com/techsupp/files/lu/lu.html
Symantec is not aware of any active attempts against or organizations impacted by this issue.
As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats
ACKNOWLEDGEMENTS
Symantec thanks Arthur Freyman, for notification of this issue and coordination of disclosure as it was resolved
REVISION
Discovery Date:
August 31, 2005 - Bugtraq posting (Vulnerability in Symantec Anti Virus Corporate Edition v9.x)