Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13689
HistoryAug 02, 2006 - 12:00 a.m.

SYM06-013 Symantec On-Demand Protection Encrypted Data Exposure

2006-08-0200:00:00
vulners.com
12
JSON

SYM06-013
August 1, 2006
Symantec On-Demand Protection Encrypted Data Exposure

Revision History
None

Risk Impact
Medium

Remote No
Local Yes
Authentication Required No
Exploit publicly available No

Overview
Symantec On-Demand Agent (SODA) and Symantec On-Demand Protection (SODP) provide a Virtual Desktop environment to secure Web-based applications and services. Files created while in the virtual desktop are encrypted as they are saved to a hard drive or removable media, if that option is enabled in the policy configuration. Symantec is aware of a method which could potentially be used to defeat the encryption on these files.

Affected Products
Product Version Platform Solution
SODA 2.5 MR2 and earlier (builds 2156 and lower) Windows Build 2157 and later
https://support.sygate.com
SODA 2.6 (builds 2232 and lower) Windows Build 2233 and later
https://fileconnect.symantec.com/licenselogin.jsp

Note:
Versions of Symantec On-Demand earlier than SODA 2.5 or SODP 2.6 are no longer supported. Customers using an earlier version should update to a supported product version to receive this security update and other product enhancements available in current releases.

The Japanese version of Symantec On-Demand Protection is distributed through Macnica Inc. Please contact your Macnica Support representative to obtain this update.

Unaffected Products
Product Version Platform
SODA 2.5 Linux and Macintosh
SODA 2.6 Linux and Macintosh

Details
Symantec is aware of a method which can potentially be used to decrypt files which were encrypted by the Symantec On-Demand Virtual Desktop. An attacker who successfully used this method to decrypt files would have access to the data in the files. The level of risk associated with a successful attack is highly dependent on the content of the encrypted files.

Symantec Response
Symantec engineers have verified that this issue exists in the versions of Symantec On-Demand listed in the table above, and have provided updates to address the issue.

The Virtual Desktop module is an optional feature of Symantec On-Demand Protection. Customers who do not use this module are not affected by this issue. However, Symantec recommends that you apply this update to ensure you are protected if you choose to use this feature in the future.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats.

CVE
This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE Candidate CVE-2006-3457 to this issue.

Symantec takes the security and proper functionality of its products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact [email protected] if you feel you have discovered a potential or actual security issue with a Symantec product. A Symantec Product Security team member will contact you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document outlining the process we follow in addressing suspected vulnerabilities in our products. We support responsible disclosure of all vulnerability information in a timely manner to protect Symantec customers and the security of the Internet as a result of vulnerability. This document is available from the location provided below.

Symantec strongly recommends using encrypted email for reporting vulnerability information to [email protected]. The Symantec Product Security PGP key can be obtained from the location provided below.
Symantec-Product-Vulnerability-Response Symantec Vulnerability Response Policy Symantec Product Vulnerability Management PGP Key Symantec Product Vulnerability Management PGP Key

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from [email protected].

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Initial Post on: Tuesday, 01-Aug-06 12:10:00
Last modified on: Tuesday, 01-Aug-06 12:17:30

Related

symantec 1
cve 1
symantec
symantec
Symantec On-Demand Protection Encrypted Data Exposure
2006-08-01 08:00:00
cve
cve
CVE-2006-3457
2006-08-05 00:04:00
JSON
Related for SECURITYVULNS:DOC:13689
symantec1cve1