Initial Publication Date: Advisory Status: Advisory Severity: Legacy ID
29 Sep 2004 Closed High
Symantec resolved an unencrypted default password issue reported in Symantec's ON Command CCM and ON iCommand configuration servers. A malicious user who has privileged local access to the system that hosts the server can potentially gain access to administrative information and sensitive management/configuration data. An unauthorized user who has remote access to the network could potentially gather administrative information that could be leveraged for additional system access to the server and potentially to other systems being managed.
High (heavily dependent on environment)
Symantec ON Command CCM 5.4.x (Windows, Solaris, HP-UX, Linux)
Symantec ON iCommand 3.0.x (Windows)
A posting to the SecurityFocus BugTraq list identified an issue with unencrypted default database account information that is accessible on the Symantec ON Command CCM and Symantec ON iCommand software management solutions. Administrative access and database management information is provided by default on the management server. A user with privileged local access to the system that hosts the management server could gain administrative access to the database and gather sensitive data concerning the systems that are being managed from that host. An unauthorized user with network access could potentially capture the login system calls from the server and leverage additional unauthorized access to the management server database. Unauthorized access could allow the attacker to collect additional sensitive information or to alter configuration information on managed systems.
CVE candidate numbers have been requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once CVE candidate numbers have been assigned. These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec confirmed the issues discussed above and has developed solutions to resolve them.
Symantec has released a patch for all affected products that removes any default passwords and provides strong administrative password management including change control and encryption.
Symantec strongly recommends that customers apply the appropriate patch for their affected product versions immediately to protect against these types of threats.