Critical Flaws in pcAnywhere

January 26, 2012

Symantec’s pcAnywhere software provides remote access and remote desktop capabilities for Windows-based systems.  pcAnywhere is not likely to be installed on the typical home system, but it is used fairly widely by businesses.  It is used, for example, by organizations’ help desks, so that the technical staff on the phone with the troubled user can see the same screen that the user sees.

Symantec has just taken the somewhat unusual step of issuing a white paper, Symantec pcAnywhere Security Recommendations [PDF], which discusses potential security risks from using the product, and recommends that, because of several current vulnerabilities, pcAnywhere be disabled until Symantec has issued appropriate patches.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that
resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is
recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.

Some of the vulnerabilities are, according to the white paper, linked to a theft of some Symantec source code back in 2006.  The stolen code apparently included some encryption and other security functions that were implemented in a vulnerable way.  The principal risk is of a man-in-the-middle attack against the encryption and encoding weaknesses, but other attacks are also possible.   In addition to describing some mitigation steps, the white paper gives a summary of recommended security practices for pcAnywhere users.  In addition to the pcAnywhere product itself, the vulnerable software is bundled with three other Symantec products: Altiris Client Management Suite;  Altiris IT Management Suite versions 7.0 or later; and Altiris Deployment Solution with Remote v7.1.

Symantec has also released a Security Advisory for pcAnywhere and associated products, regarding two serious vulnerabilities that do not seem to be related to the code theft.   Successful attacks against these flaws might result in remote execution of arbitrary code, or unauthorized modification of local files.  The code execution vulnerability is very serious, since the relevant execution context will often be System.  There is a hot fix available for supported versions of pcAnywhere.

The SANS Internet Storm Center has a diary entry on the pcAnywhere issues.  They report seeing some evidence of systematic probes of TCP/IP port 5631, used by pcAnywhere.  This probably indicates attempts to discover and exploit vulnerable systems, so the ISC’s advice, and mine, is patch now.

Using any remote access facility involves some risk, especially if the remote user is in an insecure location.  Users of pcAnywhere should keep an eye on the security news, and on Symantec’s site, so that they can stay on top of this one.

%d bloggers like this: