Symantec On-Demand Protection Encrypted Data Exposure

SUMMARY

Symantec On-Demand Agent (SODA) and Symantec On-Demand Protection (SODP) provide a Virtual Desktop environment to secure Web-based applications and services. Files created while in the virtual desktop are encrypted as they are saved to a hard drive or removable media, if that option is enabled in the policy configuration. Symantec is aware of a method which could potentially be used to defeat the encryption on these files

Risk Impact
Medium

Remote

|

No

—|—

Local

|

Yes

Authentication Required

|

No

Exploit publicly available

|

No

AFFECTED PRODUCTS

Product

|

Version

|

Platform

|

Solution

—|—|—|—

SODA

|

2.5 MR2 and earlier (builds 2156 and lower)

|

Windows

|

Build 2157 and later
https://support.sygate.com

SODA

|

2.6 (builds 2232 and lower)

|

Windows

|

Build 2233 and later
https://fileconnect.symantec.com/licenselogin.jsp

Note:
Versions of Symantec On-Demand earlier than SODA 2.5 or SODP 2.6 are no longer supported. Customers using an earlier version should update to a supported product version to receive this security update and other product enhancements available in current releases.

The Japanese version of Symantec On-Demand Protection is distributed through Macnica Inc. Please contact your Macnica Support representative to obtain this update.

ADDITIONAL PRODUCT INFORMATION

Unaffected Products

Product

|

Version

|

Platform

—|—|—

SODA

|

2.5

|

Linux and Macintosh

SODA

|

2.6

|

Linux and Macintosh

ISSUES

Details
Symantec is aware of a method which can potentially be used to decrypt files which were encrypted by the Symantec On-Demand Virtual Desktop. An attacker who successfully used this method to decrypt files would have access to the data in the files. The level of risk associated with a successful attack is highly dependent on the content of the encrypted files.

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (<http://cve.mitre.org>), which standardizes names for security problems. The CVE initiative has assigned CVE Candidate CVE-2006-3457 to this issue

MITIGATION

Symantec Response
Symantec engineers have verified that this issue exists in the versions of Symantec On-Demand listed in the table above, and have provided updates to address the issue.

The Virtual Desktop module is an optional feature of Symantec On-Demand Protection. Customers who do not use this module are not affected by this issue. However, Symantec recommends that you apply this update to ensure you are protected if you choose to use this feature in the future.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats.