Symantec Veritas SFS Auth Bypass

August 28, 2008

The Symantec Veritas Storage Foundation is a storage management suite. The product is composed of several services and agents. One of the services included in this suite is the Scheduler service which listens on TCP port 4888 by default. This is an RPC service with its own built in authentication mechanism.

The authentication mechanism in the Scheduler service utilizes the NT Lan Manager Security Support Provider (NTLM SSP) for security enforcement. The improper utilization of this component allows remote users to establish a NULL session with the service which effectively bypasses the authentication stage of the login procedure. This allows anonymous user logon to the affected service.

Exploitation of this vulnerability may allow anonymous malicious users to add, modify and delete snapshot schedules as well as potentionally run malicious code. SonicWALL has released an IPS signature to detect and block possible attack attempts targeting this vulnerability. The following signature covers this issue:

  • (5204) Symantec Veritas SFW NTLMSSP Authentication Bypass PoC