Many pcAnywhere systems still sitting ducks

Symantec warns that its product should not be connected directly to the Internet, yet an estimated 140,000 computers are configured to allow direct external access

Despite warnings from security software maker Symantec not to connect its pcAnywhere remote-access software to the Internet, more than 140,000 computers appear to remain configured to allow direct connections from the Internet, thereby putting them at risk.

Over the weekend, vulnerability management firm Rapid7 scanned for exposed systems running pcAnywhere and found that tens of thousands of installations could likely be attacked through unpatched vulnerabilities in the software because they directly communicate with the Internet. Perhaps of greatest worry is that a small but significant fraction of the systems appear to be dedicated, point-of-sale computers, where pcAnywhere is used for remote management of the device, says HD Moore, Rapid7's chief security officer.

"It is clear that pcAnywhere is still widely used in specific niches, especially point-of-sale," Moore says, adding that by connecting the software directly to the Internet, "organizations are placing themselves at risk of remote compromise or remote password theft."

Lines of attack
The ability to directly access a computer running pcAnywhere from the Internet, paired with a vulnerability of sufficient severity, could allow anyone to compromise a system running the remote-access software. A user can directly connect to a computer from the Internet if there is not a firewall protecting the system, or if the firewall lets traffic destined for certain ports pass through unhindered. The systems found by Rapid7 allowed requests directed to the default pcAnywhere ports -- 5631 and 5632 -- to connect to the host computer.

"Most people worry about whether someone can get into their system directly, and based on [recent vulnerabilities] you don't have to be the most hardcore researcher to ... exploit these systems," Moore says.

Last week, HP TippingPoint's Zero Day Initiative reported one such vulnerability that could be used to take control of any at-risk pcAnywhere installation connected to the Internet.

pcAnywhere's security came under scrutiny this month after Symantec acknowledged that the source code for the product had been stolen in 2006. While the theft of the source code itself did not endanger users, would-be attackers who analyze the code will likely find vulnerabilities. When Symantec took another look at the source code following the theft, for example, the company found vulnerabilities that could allow attackers to eavesdrop on communications, grab the secure keys, and then remotely control the computer -- if the attackers could find a way to intercept communications.

Symantec published patches last week for the issues the company found during its source code analysis as well as the more serious vulnerability reported by the Zero Day Initiative. On Monday, the company also offered a free upgrade to all pcAnywhere customers, stressing that users who update their software and follow its security advice were safe.

Open to mischief
Yet Moore and other security researchers argue that it's unlikely that the most vulnerable users will quickly patch their systems. Allowing direct access from the Internet to pcAnywhere suggests that the owner of the computer may not have the technical experience to know to patch regularly.

"I would guess that the majority of those systems are already [compromised] or will be shortly, because it is so easy to do. And that will make a nice big botnet," says Chris Wysopal, CTO at Veracode, an application security testing company.

Rapid7 scanned more than 81 million Internet addresses over the weekend -- about 2.3 percent of the addressable space. Of those addresses, more than 176,000 had an open port that matched the port addresses used by pcAnywhere. The vast majority of those hosts, however, did not respond to requests: almost 3,300 responded to a probe using the transmission control protocol (TCP), and another 3,700 responded to similar request using the user datagram protocol (UDP). Combined, 4,547 hosts responded to one of the two probes.

Extrapolating to the entire addressable Internet, the scanned sample set suggests that nearly 200,000 hosts could be contacted by either a TCP or UDP probe, and more than 140,000 hosts could be attacked using TCP. More than 7.6 million systems may be listening on either of the two ports used by pcAnywhere, according to Moore's research.

Rapid7's scanning is a tactic taken from attackers' playbook. Malicious actors frequently scan the Internet to keep track of vulnerable hosts, says Veracode's Wysopal.

"pcAnywhere is known to be a risk and is scanned for constantly, so when a vulnerability comes out, attackers know where to go," he says.

Protection plans
In its advisory last week, Symantec made a similar warning: Attackers could scan for and attack computers running pcAnywhere if they were connected directly to the Internet. Symantec initially recommended that customers disable pcAnywhere until patches arrived, which happened on Monday for the latest version of the software, pcAnywhere 12.5, and Friday for two previous versions.

The company released a white paper with recommendations for securing pcAnywhere installations. Companies need to update to the latest version of the software, pcAnywhere 12.5, and apply the patch. The host computer should not be connected directly to the Internet, but be protected by a firewall set to block the default pcAnywhere ports: 5631 and 5632.

In addition, companies should not use the default pcAnywhere Access server, Symantec stated. Instead, they should use VPNs to connect to the local network and then access the host.

"To limit risk from external sources, customers should disable or remove Access Server and use remote sessions via secure VPN tunnels," the company says.

In many cases, pcAnywhere users are small-business people who outsource support of their systems. A small percentage of systems that responded to Moore's scans included "POS" as part of the system name, suggesting that point-of-sale systems are a common application of pcAnywhere. About 2.6 percent of the approximately 2,000 pcAnywhere hosts whose namse could be obtained had some variant of "POS" in the label.

"The point-of-sale environment is terrible in terms of security," Moore says. "It is surprising that it is a large concentration."

This story, "Many pcAnywhere systems still sitting ducks," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.