Symantec has released an advisory (SYM04-014) along with patches dealing with this issue. Customers are advised to visit http://www.symantec.com/techsupp to acquire the appropriate patch. Please see the referenced advisory for more information.
Symantec ON Command CCM Default Hardcoded Database Administrator Credentials
Remote / Network Access
Loss of Integrity
By default, ON Command CCM installs with four default accounts. One of the default administrator accounts is hardcoded and cannot be changed. This allows attackers to trivially access the program or system.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
- The passwords can be changed for three of the users. The fourth user's credentials are used by the CCM server daemons and are hard-coded in the binaries.
- The Sybase database port can be firewalled locally on the CCM server, denying access to network requests. Local requests can't be blocked however.