Document ID: 306386
http://support.veritas.com/docs/306386
E-Mail this document to a colleague
http://support.veritas.com/docs/306386
E-Mail this document to a colleague
Symantec Security Advisory SYM08-015: Veritas Storage Foundation for Windows Volume Manager Scheduler Service for Windows Security Update Circumvention
Details:
Download Now - 1988 K
File Name: 1368925_306386.EXE
File Type: Patch
Click Below to Browse the FTP files by Product:
ftp.support.veritas.com/pub/support/products
Symantec Security
Advisory
SYM08-015
14 August, 2008
Veritas Storage Foundation for Windows (SFW) Volume Manager Scheduler Service for Windows Security Update Circumvention
Revision History
None
Severity
Medium
Remote Access: Yes, Local network access required
Local Access: No
Authentication Required: No
Exploit publicly available: No
Overview
It is possible to circumvent the security patch that resolved a previously identified authentication bypass, remote code execution vulnerability in the Symantec Storage Foundation for Windows v5.0 Volume Manager Scheduler Service. Successful exploitation could result in potential compromise of the targeted system.
Product(s) Affected
Product Version(s) Solution(s)
SFW 5.0, 5.0 RP1a, 5.1 Updated VxSchedService.exe
Updated Binaries
Product Version
SFW 5.0 VxSchedService.exe - 5.0.51.297
SFW 5.0 RP1a VxSchedService.exe - 5.0.218.319
SFW 5.1 VxSchedService.exe - 5.1.1.398
Note: Only those versions and builds identified above are affected by this issue. Click on the "Download Now" link and follow the "Installation Instructions" below to apply the formal solution to this issue.
Details
3Com's Zero Day Initiative, notified Symantec of a vector that can allow a malicious user to circumvent the security update for an authentication bypass vulnerability previously reported in the Symantec Storage Foundation for Windows Scheduler Service, http://www.symantec.com/avcenter/security/Content/2007.06.01.html .
The Scheduler Service server, introduced in Symantec Storage Foundation for Windows v5.0, listens for incoming scheduling messages from client systems. An attacker with network access who could connect directly to the Scheduler Service socket could bypass the security update to the previously reported issue. By properly manipulating this vector, the attacker has the potential to add arbitrary commands to the registry that, if properly constructed, would be executed on the targeted system during normal scheduled runs.
Symantec Response
Symantec engineers have verified and resolved this issue in the Symantec's Storage Foundation for Windows versions and builds identified above.
Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from this issue.
The patch listed above for affected product/versions is attached to this TechFile. Please refer to the "Installation Instructions" section, just below, to apply this patch.
Installation Instructions
Click on the "Download Now" link, below, and download the attached self extracting zip file (1368925_306386.exe) to a temporary folder location.
1. Stop the "Veritas Scheduler Service" service.
net stop "Veritas scheduler service"
2. Stop the "Veritas Storage Agent" service.
net stop vxvm
3. Take a backup of vxschedservice.exe present at the location:
<Veritas_Home>\Veritas Volume Manager 5.0 (for SFW 5.0 and SFW 5.0RP1a)
<Veritas_Home>\Veritas Volume Manager 5.1 (for SFW 5.1)
4. Place one of the following privates (vxschedservice.exe) to the above location depending on the operating system and architecture:
SFW 5.0:
5.0\W2K3_x86
5.0\W2K3_x64
SFW 5.0RP1A:
5.0RP1A\W2K3_x86
5.0RP1A\W2K3_x64
SFW 5.1:
5.1\W2k3\32
5.1\W2k3\64
5.1\W2k8\32
5.1\W2k8\64
5. Configure the service as mentioned below:
a. In case of a non-clustered setup and a single-node cluster no additional configuration is needed.
b. In case of a clustered setup with more than one node, on each node of the cluster, configure the service with any user account (Other than Localsystem account) which is valid on all the nodes of the cluster. The user account should have privileges to change the registry entry on the current node.
6. Start the "Veritas Scheduler Service" service.
net start "Veritas scheduler service"
7. Start the "Veritas Storage Agent" service.
net start vxvm
Please Note: It is recommended that the fix be evaluated in a test environment before implementing it in a production environment. When the fix is incorporated into a Storage Foundation for Windows maintenance release, the resulting Hotfix or Service Pack must be installed as soon as possible. Symantec Technical Services will notify you when the maintenance release (Hotfix or Service Pack) is available.
Best Practices
As part of normal best practices, Symantec strongly recommends:
SYM08-015
14 August, 2008
Veritas Storage Foundation for Windows (SFW) Volume Manager Scheduler Service for Windows Security Update Circumvention
Revision History
None
Severity
Medium
Remote Access: Yes, Local network access required
Local Access: No
Authentication Required: No
Exploit publicly available: No
Overview
It is possible to circumvent the security patch that resolved a previously identified authentication bypass, remote code execution vulnerability in the Symantec Storage Foundation for Windows v5.0 Volume Manager Scheduler Service. Successful exploitation could result in potential compromise of the targeted system.
Product(s) Affected
Product Version(s) Solution(s)
SFW 5.0, 5.0 RP1a, 5.1 Updated VxSchedService.exe
Updated Binaries
Product Version
SFW 5.0 VxSchedService.exe - 5.0.51.297
SFW 5.0 RP1a VxSchedService.exe - 5.0.218.319
SFW 5.1 VxSchedService.exe - 5.1.1.398
Note: Only those versions and builds identified above are affected by this issue. Click on the "Download Now" link and follow the "Installation Instructions" below to apply the formal solution to this issue.
Details
3Com's Zero Day Initiative, notified Symantec of a vector that can allow a malicious user to circumvent the security update for an authentication bypass vulnerability previously reported in the Symantec Storage Foundation for Windows Scheduler Service, http://www.symantec.com/avcenter/security/Content/2007.06.01.html .
The Scheduler Service server, introduced in Symantec Storage Foundation for Windows v5.0, listens for incoming scheduling messages from client systems. An attacker with network access who could connect directly to the Scheduler Service socket could bypass the security update to the previously reported issue. By properly manipulating this vector, the attacker has the potential to add arbitrary commands to the registry that, if properly constructed, would be executed on the targeted system during normal scheduled runs.
Symantec Response
Symantec engineers have verified and resolved this issue in the Symantec's Storage Foundation for Windows versions and builds identified above.
Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from this issue.
The patch listed above for affected product/versions is attached to this TechFile. Please refer to the "Installation Instructions" section, just below, to apply this patch.
Installation Instructions
Click on the "Download Now" link, below, and download the attached self extracting zip file (1368925_306386.exe) to a temporary folder location.
1. Stop the "Veritas Scheduler Service" service.
net stop "Veritas scheduler service"
2. Stop the "Veritas Storage Agent" service.
net stop vxvm
3. Take a backup of vxschedservice.exe present at the location:
<Veritas_Home>\Veritas Volume Manager 5.0 (for SFW 5.0 and SFW 5.0RP1a)
<Veritas_Home>\Veritas Volume Manager 5.1 (for SFW 5.1)
4. Place one of the following privates (vxschedservice.exe) to the above location depending on the operating system and architecture:
SFW 5.0:
5.0\W2K3_x86
5.0\W2K3_x64
SFW 5.0RP1A:
5.0RP1A\W2K3_x86
5.0RP1A\W2K3_x64
SFW 5.1:
5.1\W2k3\32
5.1\W2k3\64
5.1\W2k8\32
5.1\W2k8\64
5. Configure the service as mentioned below:
a. In case of a non-clustered setup and a single-node cluster no additional configuration is needed.
b. In case of a clustered setup with more than one node, on each node of the cluster, configure the service with any user account (Other than Localsystem account) which is valid on all the nodes of the cluster. The user account should have privileges to change the registry entry on the current node.
6. Start the "Veritas Scheduler Service" service.
net start "Veritas scheduler service"
7. Start the "Veritas Storage Agent" service.
net start vxvm
Please Note: It is recommended that the fix be evaluated in a test environment before implementing it in a production environment. When the fix is incorporated into a Storage Foundation for Windows maintenance release, the resulting Hotfix or Service Pack must be installed as soon as possible. Symantec Technical Services will notify you when the maintenance release (Hotfix or Service Pack) is available.
Best Practices
As part of normal best practices, Symantec strongly recommends:
- Restrict access to administration or management systems to privileged users.
- Restrict remote access, if required, to trusted/authorized systems only.
- Run under the principle of least privilege where possible to limit the impact of exploit by threats.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities
Credit
Symantec would like to thank Tenable Security working through 3Com ZDI for reporting this issue and for providing coordination while Symantec resolved it.
References
SecurityFocus, http://www.securityfocus.com , has assigned a Bugtraq ID (BID), 30596 to this issue for inclusion in the SecurityFocus vulnerability data ba The BID can be found at: http://www.securityfocus.com/bid/30596
This issue is a candidate for inclusion in the CVE list ( http://cve.mitre.org ), which standardizes names fo security problems. A CVE Candidate name has be requested from the Common Vulnerabilities and Exposures (CVE) initiative for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name.
Symantec would like to thank Tenable Security working through 3Com ZDI for reporting this issue and for providing coordination while Symantec resolved it.
References
SecurityFocus, http://www.securityfocus.com , has assigned a Bugtraq ID (BID), 30596 to this issue for inclusion in the SecurityFocus vulnerability data ba The BID can be found at: http://www.securityfocus.com/bid/30596
This issue is a candidate for inclusion in the CVE list ( http://cve.mitre.org ), which standardizes names fo security problems. A CVE Candidate name has be requested from the Common Vulnerabilities and Exposures (CVE) initiative for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name.
Download Now - 1988 K
File Name: 1368925_306386.EXE
File Type: Patch
Click Below to Browse the FTP files by Product:
ftp.support.veritas.com/pub/support/products
Supplemental Material:
| System: Ref.# | Description |
| ETrack: 1368925 | |
| ETrack: 1315651 |
Products Applied:
Storage Foundation for Windows 5.0, 5.0 RP1, 5.0 RP1a, 5.1
Storage Foundation for Windows 5.0, 5.0 RP1, 5.0 RP1a, 5.1
Last Updated: August 21 2008 07:00 PM GMT
Expires on: 08-20-2013
Subscribe to receive critical updates about this document
Expires on: 08-20-2013
Subscribe to receive critical updates about this document
Subjects:
Storage Foundation for Windows
Application: Hotfix
Storage Foundation for Windows
Application: Hotfix
Languages:
English (US)
English (US)
Operating Systems:
Windows Server 2003
Windows Server 2003
DataCenter SP2, Datacenter SP2(x64), Enterprise SP2, Enterprise SP2(x64), R2, Standard Server SP2, Standard Server SP2 (x64)
Windows Server 2008
DataCenter (x64-64bit), DataCenter (x86-32bit), Enterprise (x64-64bit), Enterprise (x86-32bit), Itanium, Server Core, Standard (x64-64bit), Standard (x86-32bit), Web Server (x64-64bit), Web Server (x86-32bit)
Symantec World Headquarters:
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com
20330 Stevens Creek Blvd. Cupertino, CA 95014
World Wide Web: http://www.symantec.com,
Tech Support Web: http://entsupport.symantec.com,
E-Mail Support: http://seer.entsupport.symantec.com/email_forms,
FTP: ftp://ftp.entsupport.symantec.com or http://ftp.entsupport.symantec.com
THE INFORMATION PROVIDED IN THE SYMANTEC SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYMANTEC SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SYMANTEC SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF SYMANTEC SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.