Symantec Veritas SFS Auth Bypass (Aug 28, 2008)

The Symantec Veritas Storage Foundation is a storage management suite. The product is composed of several services and agents. One of the services included in this suite is the Scheduler service which listens on TCP port 4888 by default. This is an RPC service with its own built in authentication mechanism.

The authentication mechanism in the Scheduler service utilizes the NT Lan Manager Security Support Provider (NTLM SSP) for security enforcement. The improper utilization of this component allows remote users to establish a NULL session with the service which effectively bypasses the authentication stage of the login procedure. This allows anonymous user logon to the affected service.

Exploitation of this vulnerability may allow anonymous malicious users to add, modify and delete snapshot schedules as well as potentionally run malicious code. SonicWALL has released an IPS signature to detect and block possible attack attempts targeting this vulnerability. The following signature covers this issue:

• (5204) Symantec Veritas SFW NTLMSSP Authentication Bypass PoC

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.