Symantec Corp. is investigating a report of a security hole in a version of its corporate anti-virus product that could expose sensitive username and password information, the company acknowledged.
The reported security hole affects Symantec Anti Virus Corporate Edition Version 9 and could allow an attacker or nonprivileged user to obtain sensitive server log-in information. Details of the vulnerability were posted on the Bugtraq mailing list Wednesday.
The vulnerability affects organizations that have deployed an internal LiveUpdate server, which distributes anti-virus definition updates to Symantec software clients on a corporate network.
To obtain updates from an internal LiveUpdate Server, client systems are configured with the name, IP address and other vital information about the server, as well as a username and password to access it and download the definition updates. While that information is encrypted on the machines hard drive, information about each update that includes the username and password used to access the server are stored in unencrypted form in logs maintained by Symantec Corporate Anti-Virus, according to the Bugtraq posting.
Symantec customers can also obtain updates from external LiveUpdate servers operated by Symantec, where the same problem is not believed to exist.
An attacker would need to be able to log on to a Windows system to view the logs. However, they are accessible to all users with access to a system, and could be used by a low-level user to gain access to the LiveUpdate servers or other secure servers on a network, according to the Bugtraq posting.
A Symantec spokesman said the companys Incident Response team has been notified of the issue and is evaluating the issue now.
The company isnt aware of reports of any customer effects related to the issue.