SYMSA1097

Symantec On-Demand Protection Encrypted Data Exposure

Last Updated August 01, 2006
Initial Publication Date August 01, 2006
  • Status: Closed
  • Severity: Medium
  • CVSS Base Score: 2.9

Symantec On-Demand Agent (SODA) and Symantec On-Demand Protection (SODP) provide a Virtual Desktop environment to secure Web-based applications and services. Files created while in the virtual desktop are encrypted as they are saved to a hard drive or removable media, if that option is enabled in the policy configuration. Symantec is aware of a method which could potentially be used to defeat the encryption on these files

Risk Impact
Medium

Remote

No

Local

Yes

Authentication Required

No

Exploit publicly available

No

 

Product

Version

Platform

Solution

SODA

2.5 MR2 and earlier (builds 2156 and lower)

Windows

Build 2157 and later
https://support.sygate.com

SODA

2.6 (builds 2232 and lower)

Windows

Build 2233 and later
https://fileconnect.symantec.com/licenselogin.jsp


Note:
Versions of Symantec On-Demand earlier than SODA 2.5 or SODP 2.6 are no longer supported. Customers using an earlier version should update to a supported product version to receive this security update and other product enhancements available in current releases.

The Japanese version of Symantec On-Demand Protection is distributed through Macnica Inc. Please contact your Macnica Support representative to obtain this update.

Unaffected Products

Product

Version

Platform

SODA

2.5

Linux and Macintosh

SODA

2.6

Linux and Macintosh

 

Details
Symantec is aware of a method which can potentially be used to decrypt files which were encrypted by the Symantec On-Demand Virtual Desktop. An attacker who successfully used this method to decrypt files would have access to the data in the files. The level of risk associated with a successful attack is highly dependent on the content of the encrypted files.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE Candidate CVE-2006-3457 to this issue

Symantec Response
Symantec engineers have verified that this issue exists in the versions of Symantec On-Demand listed in the table above, and have provided updates to address the issue.

The Virtual Desktop module is an optional feature of Symantec On-Demand Protection. Customers who do not use this module are not affected by this issue. However, Symantec recommends that you apply this update to ensure you are protected if you choose to use this feature in the future.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats.

SYM06-013

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation