Insufficient access protection in Avira's enterprise solution

Avira's enterprise protection solution contains a vulnerability that potentially allows attackers to cripple the scanners on client PCs. The problem is caused by a lack of authentication in the Internet Update Manager (IUM) clients use to obtain both signature and product updates. Remote server access and configuration is handled via a dedicated, freely available front end. This potentially allows attackers from the local network to remove update packages, disable the planner for package deployment, or extend its update cycle.

In the server's standard configuration, potential attackers can simply start the IUM front end on any computer and connect to the server without any access credentials. Although the IUM offers an authentication option via an SSL client certificate, when heise Security tested this authentication access was granted without credentials even when this option was disabled – because the front end itself carries a valid SSL client certificate which is not protected by another password.

Avira has confirmed the problem and intends to solve it in the next version, which is due for release in the first quarter of 2010. With the new version Avira intend to make it easier to replace the certificates shipped with the product and for the servers (SMC, IUM) to require a password for client authentication. Until the new version becomes available, Avira recommends restricting the access to the IUM service which listens for incoming connections on TCP ports 7050 and 7051 by default. Firewalls should only grant access to localhost (127.0.0.1), the server's LAN IP, and to trusted administrator machines that run the IUM GUI.

See also:

• IUM-Workaround für fehlende Client-Authentifizierung, German language Avira FAQ.

(crve)