ISS X-Force Database: vsf-vxschedservice-code-execution(44466): Symantec VERITAS Storage Foundation for Windows VxSchedService.exe code execution

Symantec VERITAS Storage Foundation for Windows VxSchedService.exe code execution

vsf-vxschedservice-code-execution (44466)

High Risk

Description:

VERITAS Storage Foundation for Windows could allow a remote attacker to execute arbitrary code on the system, caused by NULL NTLMSSP authentication in the volume manager scheduler service (VxSchedService.exe) running on TCP port 4888. An attacker could exploit this vulnerability via the registry to execute arbitrary code with SYSTEM privileges when a scheduled run occurs.

Platforms Affected:

Symantec, VERITAS Storage Foundation 5.0
Symantec, VERITAS Storage Foundation 5.0 RP1a
Symantec, VERITAS Storage Foundation 5.1

Remedy:

Refer to SYM08-015 for patch, upgrade or suggested workaround information. See References.

Consequences:

Gain Access

References:

SYM08-015 , Veritas Storage Foundation for Windows Volume Manager Scheduler Service for Windows Security Update Circumvention at http://www.symantec.com/avcenter/security/Content/2008.08.14a.html.
ZDI-08-053, Symantec Veritas Storage Foundation Scheduler Service NULL Session Authentication Bypass Vulnerability at http://www.zerodayinitiative.com/advisories/ZDI-08-053/.
BID-30596: Symantec Storage Foundation for Windows Security Update Circumvention Vulnerability
CVE-2008-3703: The management console in the Volume Manager Scheduler Service (aka VxSchedService.exe) in Symantec Veritas Storage Foundation for Windows (SFW) 5.0, 5.0 RP1a, and 5.1 accepts NULL NTLMSSP authentication, which allows remote attackers to execute arbitrary code via requests to the service socket that create snapshots schedules registry values specifying future command execution. NOTE: this issue exists because of an incomplete fix for CVE-2007-2279.
SA31486: Symantec Veritas Storage Foundation NULL NTLMSSP Authentication Security Bypass
SECTRACK ID: 1020699: VERITAS Storage Foundation for Windows Accepts NULL NTLMSSP Authentication
VUPEN/ADV-2008-2395: Symantec Veritas Storage Foundation Security Bypass Vulnerability

Reported:

Aug 14, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page