Symantec Security Advisory SYM08-015: Veritas Storage Foundation for Windows Volume Manager Scheduler Service for Windows Security Update Circumvention
14 August, 2008
Veritas Storage Foundation for Windows (SFW) Volume Manager Scheduler Service for Windows Security Update Circumvention
Remote Access: Yes, Local network access required
Local Access: No
Authentication Required: No
Exploit publicly available: No
It is possible to circumvent the security patch that resolved a previously identified authentication bypass, remote code execution vulnerability in the Symantec Storage Foundation for Windows v5.0 Volume Manager Scheduler Service. Successful exploitation could result in potential compromise of the targeted system.
Product Version(s) Solution(s)
SFW 5.0, 5.0 RP1a, 5.1 Updated VxSchedService.exe
SFW 5.0 VxSchedService.exe - 188.8.131.527
SFW 5.0 RP1a VxSchedService.exe - 184.108.40.2069
SFW 5.1 VxSchedService.exe - 220.127.116.118
3Com's Zero Day Initiative, notified Symantec of a vector that can allow a malicious user to circumvent the security update for an authentication bypass vulnerability previously reported in the Symantec Storage Foundation for Windows Scheduler Service, http://www.symantec.com/avcenter/security/Content/2007.06.01.html .
The Scheduler Service server, introduced in Symantec Storage Foundation for Windows v5.0, listens for incoming scheduling messages from client systems. An attacker with network access who could connect directly to the Scheduler Service socket could bypass the security update to the previously reported issue. By properly manipulating this vector, the attacker has the potential to add arbitrary commands to the registry that, if properly constructed, would be executed on the targeted system during normal scheduled runs.
Symantec engineers have verified and resolved this issue in the Symantec's Storage Foundation for Windows versions and builds identified above.
Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from this issue.
The patch listed above for affected product/versions is attached to this TechFile. Please refer to the "Installation Instructions" section, just below, to apply this patch.
Click on the "Download Now" link, below, and download the attached self extracting zip file (1368925_306386.exe) to a temporary folder location.
1. Stop the "Veritas Scheduler Service" service.
net stop "Veritas scheduler service"
2. Stop the "Veritas Storage Agent" service.
net stop vxvm
3. Take a backup of vxschedservice.exe present at the location:
<Veritas_Home>\Veritas Volume Manager 5.0 (for SFW 5.0 and SFW 5.0RP1a)
<Veritas_Home>\Veritas Volume Manager 5.1 (for SFW 5.1)
4. Place one of the following privates (vxschedservice.exe) to the above location depending on the operating system and architecture:
5. Configure the service as mentioned below:
a. In case of a non-clustered setup and a single-node cluster no additional configuration is needed.
b. In case of a clustered setup with more than one node, on each node of the cluster, configure the service with any user account (Other than Localsystem account) which is valid on all the nodes of the cluster. The user account should have privileges to change the registry entry on the current node.
6. Start the "Veritas Scheduler Service" service.
net start "Veritas scheduler service"
7. Start the "Veritas Storage Agent" service.
net start vxvm
Please Note: It is recommended that the fix be evaluated in a test environment before implementing it in a production environment. When the fix is incorporated into a Storage Foundation for Windows maintenance release, the resulting Hotfix or Service Pack must be installed as soon as possible. Symantec Technical Services will notify you when the maintenance release (Hotfix or Service Pack) is available.
As part of normal best practices, Symantec strongly recommends:
- Restrict access to administration or management systems to privileged users.
- Restrict remote access, if required, to trusted/authorized systems only.
- Run under the principle of least privilege where possible to limit the impact of exploit by threats.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
Symantec would like to thank Tenable Security working through 3Com ZDI for reporting this issue and for providing coordination while Symantec resolved it.
SecurityFocus, http://www.securityfocus.com , has assigned a Bugtraq ID (BID), 30596 to this issue for inclusion in the SecurityFocus vulnerability data ba The BID can be found at: http://www.securityfocus.com/bid/30596
This issue is a candidate for inclusion in the CVE list ( http://cve.mitre.org ), which standardizes names fo security problems. A CVE Candidate name has be requested from the Common Vulnerabilities and Exposures (CVE) initiative for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name.