January 31, 2012, 6:15 AM — Despite warnings from security software maker Symantec not to connect its pcAnywhere remote-access software to the Internet, more than 140,000 computers appear to remain configured to allow direct connections from the Internet, thereby putting them at risk.
Over the weekend, vulnerability management firm Rapid7 scanned for exposed systems running pcAnywhere and found that tens of thousands of installations could likely be attacked through unpatched vulnerabilities in the software because they directly communicate with the Internet. Perhaps of greatest worry is that a small but significant fraction of the systems appear to be dedicated, point-of-sale computers, where pcAnywhere is used for remote management of the device, says HD Moore, Rapid7's chief security officer.
"It is clear that pcAnywhere is still widely used in specific niches, especially point-of-sale," Moore says, adding that by connecting the software directly to the Internet, "organizations are placing themselves at risk of remote compromise or remote password theft."
Lines of attackThe ability to directly access a computer running pcAnywhere from the Internet, paired with a vulnerability of sufficient severity, could allow anyone to compromise a system running the remote-access software. A user can directly connect to a computer from the Internet if there is not a firewall protecting the system, or if the firewall lets traffic destined for certain ports pass through unhindered. The systems found by Rapid7 allowed requests directed to the default pcAnywhere ports -- 5631 and 5632 -- to connect to the host computer.
"Most people worry about whether someone can get into their system directly, and based on [recent vulnerabilities] you don't have to be the most hardcore researcher to ... exploit these systems," Moore says.
Last week, HP TippingPoint's Zero Day Initiative reported one such vulnerability that could be used to take control of any at-risk pcAnywhere installation connected to the Internet.
pcAnywhere's security came under scrutiny this month after Symantec acknowledged that the source code for the product had been stolen in 2006. While the theft of the source code itself did not endanger users, would-be attackers who analyze the code will likely find vulnerabilities. When Symantec took another look at the source code following the theft, for example, the company found vulnerabilities that could allow attackers to eavesdrop on communications, grab the secure keys, and then remotely control the computer -- if the attackers could find a way to intercept communications.
Symantec published patches last week for the issues the company found during its source code analysis as well as the more serious vulnerability reported by the Zero Day Initiative. On Monday, the company also offered a free upgrade to all pcAnywhere customers, stressing that users who update their software and follow its security advice were safe.
Open to mischiefYet Moore and other security researchers argue that it's unlikely that the most vulnerable users will quickly patch their systems. Allowing direct access from the Internet to pcAnywhere suggests that the owner of the computer may not have the technical experience to know to patch regularly.
"I would guess that the majority of those systems are already [compromised] or will be shortly, because it is so easy to do. And that will make a nice big botnet," says Chris Wysopal, CTO at Veracode, an application security testing company.
Rapid7 scanned more than 81 million Internet addresses over the weekend -- about 2.3% of the addressable space. Of those addresses, more than 176,000 had an open port that matched the port addresses used by pcAnywhere. The vast majority of those hosts, however, did not respond to requests: almost 3,300 responded to a probe using the transmission control protocol (TCP), and another 3,700 responded to similar request using the user datagram protocol (UDP). Combined, 4,547 hosts responded to one of the two probes.
Extrapolating to the entire addressable Internet, the scanned sample set suggests that nearly 200,000 hosts could be contacted by either a TCP or UDP probe, and more than 140,000 hosts could be attacked using TCP. More than 7.6 million systems may be listening on either of the two ports used by pcAnywhere, according to Moore's research.
Rapid7's scanning is a tactic taken from attackers' playbook. Malicious actors frequently scan the Internet to keep track of vulnerable hosts, says Veracode's Wysopal.
