Last week Symantec published a whitepaper "pcAnywhere Security Recommendations" which recommended increased security measures to all users who are managing pcAnywhere installations. The whitepaper was prompted by the recent disclosure of Symantec source code announced by the hacker group "Lords of Dharmaraja" affiliated with Anonymous, and it points out the increased risk associated with pcAnywhere given that attackers can now search the source code for flaws.
Somewhat surprisingly, the whitepaper’s first recommendation is to uninstall the product, of course only if it is not absolutely required. Personally I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one’s software footprint and related attack surface. If uninstalling pcAnywhere is not an viable option, Symantec recommends a number of additional security configurations, including moving Internet exposed pcAnywhere installations behind a VPN gateway, blocking standard pcAnywhere ports 5631 and 5632 on the firewall and to disable the autostartup of pcAnywhere.
Last week Symantec also released patches for the currently supported versions 12.5, 12.0.x and 12.1.x in advisory SYM12-02. The patches address CVE-2011-3478, a remote code execution vulnerability with CVSS base score of 8.3 and CVE-2011-3479, a local file tampering vulnerability with CVSS base score of 6.8.
We recommend installing these patches as quickly as possible if you have pcAnywhere installed.
QualysGuard users can scan for Qualys ID 119873 for pcAnywhere installations that lack the latest patch, or use Qualys ID 38448 to find all pcAnywhere instances in their networks. Alternatively you can also use Qualys ID 42017 to scan for remote access in general and gain a complete understanding of all remote access applications, which is very helpful in these type of situations.