Symantec LiveUpdate stores insecurely

source: www.securiteam.com

Symantec LiveUpdate Stores Information Insecurely (LiveUpdate, Ghost)


SUMMARY

Norton Antivirus Corporate Edition, like other Symantec products, includes LiveUpdate. LiveUpdate stores Username and Password information in clear text in the registry. Symantec's Ghost suffers from this problem as well; other Symantec products may be affected.

DETAILS

Vulnerable systems:
Symantec Ghost version 7.0
Symantec Ghost version 7.5
Norton Antivirus Corporate Edition

Any user with the client installed can run "regedit" and read the values under:
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\LiveUpdateSource

Or:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NGServer\params

To discover the username and password used by the product.

In the case of Ghost, the product creates a special user account on the machine to run the service under but it seems it is storing the password for this account in plain text in the registry.

Vendor response:

About NAV:

Symantec's Norton Antivirus Corporate Edition provides the administrator the ability to push LiveUpdate definitions out to individual clients or to configure each client with a read-only username and password access to an internal local LiveUpdate server to download local updates. While the local username and password were stored in the registry in the clear in LiveUpdate 1.5, LiveUpdate 1.6 and later versions encrypt this username and password by default Symantec would like to emphasis that in all instances, the username and password pair is NOT connected with authentication to access Symantec's LiveUpdate server. The username and password in question is ONLY associated with the local network internal server. Symantec is aware of the issue addressed by Mr. Sanchez and it is not a LiveUpdate issue. Rather it is an internal server issue when passing the username and password to the client system that is affecting the password encryption causing the clear text exposure. This problem is currently being addressed and will be available for update as soon as it is fully tested.

Symantec appreciates the concern of Mr. Sanchez and takes the security of our products very seriously. We would like to re-emphasize however, that this read-only username/password is for internal server access only. Additionally, if company policy is such that all updates are controlled at a centralized server and pushed out to client systems, the issue in question does not exist.

About Symantec Ghost:

During the installation process for Symantec Ghost Corporate Edition, the key in question is created with Administrator access only by default. Normal best practice procedures of administrators allowing "least privilege" access to normal system users would preclude access to any unauthorized registry information by anyone other than a user with administrator privileges.

Unauthorized access to the system registry presents security concerns for any program(s), which use the registry to persist data. Protection of your system includes restricting physical access to your system and restricting administrative privileges.

Symantec take the security of our products very seriously and appreciates the concerns of Mr. Miller. Symantec is constantly working to improve our products and we will be reviewing additional protective measures for this key in future upgrades.