Many pcAnywhere systems still sitting ducks

Symantec warns that its product should not be connected directly to the Internet, yet an estimated 140,000 computers are configured to allow direct external access

Despite warnings from security software maker Symantec not to connect its pcAnywhere remote-access software to the Internet, more than 140,000 computers appear to remain configured to allow direct connections from the Internet, thereby putting them at risk.

Over the weekend, vulnerability management firm Rapid7 scanned for exposed systems running pcAnywhere and found that tens of thousands of installations could likely be attacked through unpatched vulnerabilities in the software because they directly communicate with the Internet. Perhaps of greatest worry is that a small but significant fraction of the systems appear to be dedicated, point-of-sale computers, where pcAnywhere is used for remote management of the device, says HD Moore, Rapid7's chief security officer.

"It is clear that pcAnywhere is still widely used in specific niches, especially point-of-sale," Moore says, adding that by connecting the software directly to the Internet, "organizations are placing themselves at risk of remote compromise or remote password theft."

Lines of attackThe ability to directly access a computer running pcAnywhere from the Internet, paired with a vulnerability of sufficient severity, could allow anyone to compromise a system running the remote-access software. A user can directly connect to a computer from the Internet if there is not a firewall protecting the system, or if the firewall lets traffic destined for certain ports pass through unhindered. The systems found by Rapid7 allowed requests directed to the default pcAnywhere ports -- 5631 and 5632 -- to connect to the host computer.

"Most people worry about whether someone can get into their system directly, and based on [recent vulnerabilities] you don't have to be the most hardcore researcher to ... exploit these systems," Moore says.

Last week, HP TippingPoint's Zero Day Initiative reported one such vulnerability that could be used to take control of any at-risk pcAnywhere installation connected to the Internet.

pcAnywhere's security came under scrutiny this month after Symantec acknowledged that the source code for the product had been stolen in 2006. While the theft of the source code itself did not endanger users, would-be attackers who analyze the code will likely find vulnerabilities. When Symantec took another look at the source code following the theft, for example, the company found vulnerabilities that could allow attackers to eavesdrop on communications, grab the secure keys, and then remotely control the computer -- if the attackers could find a way to intercept communications.

Symantec published patches last week for the issues the company found during its source code analysis as well as the more serious vulnerability reported by the Zero Day Initiative. On Monday, the company also offered a free upgrade to all pcAnywhere customers, stressing that users who update their software and follow its security advice were safe.

Open to mischiefYet Moore and other security researchers argue that it's unlikely that the most vulnerable users will quickly patch their systems. Allowing direct access from the Internet to pcAnywhere suggests that the owner of the computer may not have the technical experience to know to patch regularly.

"I would guess that the majority of those systems are already [compromised] or will be shortly, because it is so easy to do. And that will make a nice big botnet," says Chris Wysopal, CTO at Veracode, an application security testing company.

Rapid7 scanned more than 81 million Internet addresses over the weekend -- about 2.3 percent of the addressable space. Of those addresses, more than 176,000 had an open port that matched the port addresses used by pcAnywhere. The vast majority of those hosts, however, did not respond to requests: almost 3,300 responded to a probe using the transmission control protocol (TCP), and another 3,700 responded to similar request using the user datagram protocol (UDP). Combined, 4,547 hosts responded to one of the two probes.

Extrapolating to the entire addressable Internet, the scanned sample set suggests that nearly 200,000 hosts could be contacted by either a TCP or UDP probe, and more than 140,000 hosts could be attacked using TCP. More than 7.6 million systems may be listening on either of the two ports used by pcAnywhere, according to Moore's research.

Rapid7's scanning is a tactic taken from attackers' playbook. Malicious actors frequently scan the Internet to keep track of vulnerable hosts, says Veracode's Wysopal.

"pcAnywhere is known to be a risk and is scanned for constantly, so when a vulnerability comes out, attackers know where to go," he says.

Protection plansIn its advisory last week, Symantec made a similar warning: Attackers could scan for and attack computers running pcAnywhere if they were connected directly to the Internet. Symantec initially recommended that customers disable pcAnywhere until patches arrived, which happened on Monday for the latest version of the software, pcAnywhere 12.5, and Friday for two previous versions.

The company released a white paper with recommendations for securing pcAnywhere installations. Companies need to update to the latest version of the software, pcAnywhere 12.5, and apply the patch. The host computer should not be connected directly to the Internet, but be protected by a firewall set to block the default pcAnywhere ports: 5631 and 5632.

In addition, companies should not use the default pcAnywhere Access server, Symantec stated. Instead, they should use VPNs to connect to the local network and then access the host.

"To limit risk from external sources, customers should disable or remove Access Server and use remote sessions via secure VPN tunnels," the company says.

In many cases, pcAnywhere users are small-business people who outsource support of their systems. A small percentage of systems that responded to Moore's scans included "POS" as part of the system name, suggesting that point-of-sale systems are a common application of pcAnywhere. About 2.6 percent of the approximately 2,000 pcAnywhere hosts whose namse could be obtained had some variant of "POS" in the label.

"The point-of-sale environment is terrible in terms of security," Moore says. "It is surprising that it is a large concentration."

This story, "Many pcAnywhere systems still sitting ducks," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Read more about security in InfoWorld's Security Channel.

Join the CSO newsletter!

Error: Please check your email address.

More about Access ServeretworkHewlett-Packard AustraliaHPRapid7SymantecTippingPointTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts